CVE-2014-2735

WinSCP < 5.5.3 - Man-in-the-Middle Attack via Improper Certificate Hostname Validation

Title source: llm
STIX 2.1

Description

WinSCP before 5.5.3, when FTP with TLS is used, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

References (3)

Core 3
Core References
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/531847/100/0/threaded
Various Sources x_refsource_confirm
http://winscp.net/eng/docs/history
Various Sources x_refsource_confirm
http://winscp.net/tracker/show_bug.cgi?id=1152

Scores

EPSS 0.0079
EPSS Percentile 52.0%

Details

CWE
CWE-20
Status published
Products (3)
winscp/winscp 5.5
winscp/winscp 5.5.1
winscp/winscp < 5.5.2
Published Apr 22, 2014
Tracked Since Feb 18, 2026