CVE-2021-36370

EUVD-2021-22990
An issue was discovered in Midnight Commander through 4.8.26. When establishing an SFTP connection, the fingerprint of the server is neither checked nor displayed. As a result, a user connects to the server without the ability to verify its authenticity.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 78%
Affected Products (NVD)
VendorProductVersion
midnight-commandermidnight_commander
𝑥
≤ 4.8.26
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
mc
bookworm
3:4.8.29-2
fixed
bullseye
no-dsa
buster
no-dsa
sid
3:4.8.31-1
fixed
stretch
no-dsa
trixie
3:4.8.31-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
mc
bionic
Fixed 3:4.8.19-1ubuntu0.1~esm1
released
focal
Fixed 3:4.8.24-2ubuntu1+esm1
released
hirsute
ignored
impish
ignored
jammy
Fixed 3:4.8.27-1
released
kinetic
not-affected
lunar
not-affected
mantic
not-affected
noble
not-affected
trusty
Fixed 3:4.8.11-1ubuntu0.1~esm1
released
xenial
Fixed 3:4.8.15-2ubuntu0.1~esm1
released
Common Weakness Enumeration
References
https://docs.ssh-mitm.at/CVE-2021-36370.html
https://github.com/MidnightCommander/mc/blob/5c1d3c55dd15356ec7d079084d904b7b0fd58d3e/src/vfs/sftpfs/connection.c#L484
https://github.com/MidnightCommander/mc/blob/master/src/vfs/sftpfs/connection.c
https://mail.gnome.org/archives/mc-devel/2021-August/msg00008.html
https://midnight-commander.org/
https://sourceforge.net/projects/mcwin32/files/
https://docs.ssh-mitm.at/CVE-2021-36370.html
https://github.com/MidnightCommander/mc/blob/5c1d3c55dd15356ec7d079084d904b7b0fd58d3e/src/vfs/sftpfs/connection.c#L484
https://github.com/MidnightCommander/mc/blob/master/src/vfs/sftpfs/connection.c
https://mail.gnome.org/archives/mc-devel/2021-August/msg00008.html
https://midnight-commander.org/
https://sourceforge.net/projects/mcwin32/files/