WinSCP < 5.1.7 Multiple Vulnerabilities

Medium Nessus Plugin ID 72389


The remote Windows host has an application installed that is affected by multiple vulnerabilities.


The WinSCP program installed on the remote host is a version prior to 5.1.7. It therefore contains code from PuTTY that is affected by the following vulnerabilities related to PuTTY :

- An overflow error exists that allows heap corruption when handling DSA signatures. (CVE-2013-4206)

- A buffer overflow error exists related to modular inverse calculation, non-coprime values, and DSA signature verification. (CVE-2013-4207)

- An error exists that allows disclosure of private key material. (CVE-2013-4208)


Upgrade to WinSCP version 5.1.7 / 5.2.4 beta or later.

See Also

Plugin Details

Severity: Medium

ID: 72389

File Name: winscp_5_1_7.nasl

Version: $Revision: 1.2 $

Type: local

Agent: windows

Family: Windows

Published: 2014/02/07

Modified: 2014/10/07

Dependencies: 72387

Risk Information

Risk Factor: Medium


Base Score: 6.8

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/a:winscp:winscp

Required KB Items: installed_sw/WinSCP

Exploit Available: false

Exploit Ease: No known exploits are available

Patch Publication Date: 2013/08/14

Vulnerability Publication Date: 2013/08/06

Reference Information

CVE: CVE-2013-4206, CVE-2013-4207, CVE-2013-4208

BID: 61644, 61645, 61649

OSVDB: 96080, 96081, 96210