CVE-2021-36370 — Improper Authentication in Midnight Commander

CWE-287 — Improper Authentication6 documents6 sources

Severity

7.5HIGHNVD

EPSS

1.1%

top 22.41%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian MC Midnight-commander Midnight Commander Msrc Cbl2 MC 4.8.27-1 ON CBL Mariner 2.0 +5 more

Timeline

PublishedAug 30

Latest updateAug 9

Description

An issue was discovered in Midnight Commander through 4.8.26. When establishing an SFTP connection, the fingerprint of the server is neither checked nor displayed. As a result, a user connects to the server without the ability to verify its authenticity.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages8 packages

▶NVDmidnight-commander/midnight_commander4.8.26

▶debiandebian/mc< mc 3:4.8.27-1 (bookworm)

▶msrcmsrc/cbl_mariner_1.0_arm

▶msrcmsrc/cbl_mariner_1.0_x64

▶msrcmsrc/cbl_mariner_2.0_arm

🔴Vulnerability Details

GHSA

GHSA-j8px-qjm3-fx72: An issue was discovered in Midnight Commander through 4↗2022-05-24

▶

OSV

CVE-2021-36370: An issue was discovered in Midnight Commander through 4↗2021-08-30

▶

📋Vendor Advisories

Ubuntu

Midnight Commander vulnerability↗2022-08-09

▶

Microsoft

An issue was discovered in Midnight Commander through 4.8.26. When establishing an SFTP connection the fingerprint of the server is neither checked nor displayed. As a result a user connects to the se↗2021-08-10

▶

Debian

CVE-2021-36370: mc - An issue was discovered in Midnight Commander through 4.8.26. When establishing ...↗2021

▶