Forum » Support and Bug Reports »

Critical Issue - CVE-2022-37434 - reported in versions of zlib libraries referenced by

Advertisement

sgk
Joined:
Posts:
1

Critical Issue - CVE-2022-37434 - reported in versions of zlib libraries referenced by

This has been reported as a critical (9.8) vulnerability for zlib libraries used by WinSCP - https://nvd.nist.gov/vuln/detail/cve-2022-37434
Vulnerability description -
zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).
Metrics  
NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.
CVSS 3.x Severity and Vector Strings:

NIST CVSS scoreNIST: NVD
Base Score: 9.8 CRITICALVector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ADP: CISA-ADP
Base Score: 9.8 CRITICALVector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Refer to this link for details on the vulnerability found using the ReversingLabs binary scan tool - https://secure.software/nuget/packages/winscp

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
42,389
Location:
Prague, Czechia

Re: Critical Issue - CVE-2022-37434 - reported in versions of zlib libraries referenced by

To our best knowledge, WinSCP uses zlib library only internally to render PNG toolbar icons loaded from within signed WinSCP binary itself.

So we believe the zlib vulnerability is not exploitable, because zlib-using PNG decode code paths are only used to process trusted, embedded PNG resources, and never for any user-supplied PNG files.

Reply with quote

Advertisement

You can post new topics in this forum

Documentation

Support

Associations

Follow Us