CVE-2021-3331
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2021-3331
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-3331.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2021-3331
- Published
- 2021-01-27T21:15:16.840Z
- Modified
- 2025-11-14T11:55:11.339925Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
WinSCP before 5.17.10 allows remote attackers to execute arbitrary programs when the URL handler encounters a crafted URL that loads session settings. (For example, this is exploitable in a default installation in which WinSCP is the handler for sftp:// URLs.)
- References
Affected packages
Git / github.com/winscp/winscp
Affected ranges
- Type
- GIT
- Repo
- https://github.com/winscp/winscp
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
5.*
5.10
5.10.1
5.10.2
5.10.3
5.10.4
5.11
5.11.1
5.11.2
5.11.3
5.12
5.12.1
5.12.2
5.13
5.13.1
5.13.2
5.13.3
5.13.4
5.13.5
5.13.6
5.13.7
5.13.8
5.13.9
5.14
5.14.1
5.14.2
5.14.3
5.14.4
5.14.5
5.15
5.15.1
5.15.2
5.15.3
5.15.4
5.15.5
5.15.6
5.15.7
5.15.9
5.16-beta
5.16.1-beta
5.16.2-RC
5.16.3-RC
5.16.4-RC
5.16.5-RC
5.16.6-RC
5.16.7-rc
5.17
5.17.1
5.17.2
5.17.3
5.17.4
5.17.5
5.17.6
5.17.7
5.17.8
5.17.9
5.7.6
5.7.7
5.8
5.8.1
5.8.2
5.8.3
5.8.4
5.9
5.9.1
5.9.2
5.9.3
5.9.4
5.9.5
5.9.6
Database specific
vanir_signatures
[
{
"signature_version": "v1",
"target": {
"function": "BatchSettings",
"file": "source/windows/ConsoleRunner.cpp"
},
"id": "CVE-2021-3331-11e5cd2b",
"source": "https://github.com/winscp/winscp/commit/faa96e8144e6925a380f94a97aa382c9427f688d",
"digest": {
"function_hash": "150523865177295136896606539784662788510",
"length": 1345.0
},
"signature_type": "Function",
"deprecated": false
},
{
"signature_version": "v1",
"target": {
"function": "TSessionData::ParseUrl",
"file": "source/core/SessionData.cpp"
},
"id": "CVE-2021-3331-1486d26f",
"source": "https://github.com/winscp/winscp/commit/faa96e8144e6925a380f94a97aa382c9427f688d",
"digest": {
"function_hash": "336435866759100428410252867931200764938",
"length": 7696.0
},
"signature_type": "Function",
"deprecated": false
},
{
"signature_version": "v1",
"target": {
"file": "source/forms/Custom.cpp"
},
"id": "CVE-2021-3331-3502a482",
"source": "https://github.com/winscp/winscp/commit/faa96e8144e6925a380f94a97aa382c9427f688d",
"digest": {
"threshold": 0.9,
"line_hashes": [
"211473930194286812892281955368017458502",
"94246822005625082146928248082818603989",
"96177599502414138808565626914026679488",
"315879410604187609488393936362881634883"
]
},
"signature_type": "Line",
"deprecated": false
},
{
"signature_version": "v1",
"target": {
"file": "source/core/SessionData.cpp"
},
"id": "CVE-2021-3331-3acb0019",
"source": "https://github.com/winscp/winscp/commit/faa96e8144e6925a380f94a97aa382c9427f688d",
"digest": {
"threshold": 0.9,
"line_hashes": [
"24345795826567411357405980694815425332",
"31564719221277453410466541005199741149",
"201544711858393228493495569226923567338",
"6887822873580216411975848345934260231",
"318494113322880945329927759184262890998",
"205470400120449030256620397654635158173",
"164281253807024413801794183899659563054",
"261288614895018346226528299768541416328",
"218240386677742324229893002806541185930",
"57498185035904638504920061321989076682",
"141148425637610602167124736723021830036",
"198344975481295858408848285075092706196",
"113942106270323777023742869366506256926",
"158055484919388980808561492526853159755",
"275113584755388711564374804895265314884",
"302014453806948864975186441019047612458",
"152403635771096606538215789540044270475",
"91099004078632972838872048261438132419",
"317115914924707038706180971545869385412",
"87644573107946208542374941660448734464",
"237820852432097679362330273197219303795",
"309510839971533135648052345990539566274",
"332242086999951105859151766883339025918",
"214633185311026606882585892315918253698",
"158068571385033705457864680294125759482",
"283128807115252374982210649192131119392",
"2259470624799981920698507599635152221",
"160234872054811983531606196537061956253",
"147864254491053277749405303509426512351",
"18145924603863318223364316215695039081",
"173709010449531270445464236948054106062",
"249684477015848546766587453725183860831",
"179839267382345740899862790762973043250",
"10266587648015655499082364113038367378",
"95111758612704106963794269794937384638",
"196524700985102116607656444776657913919",
"211043122713768731469218526950246105937",
"38463064941719776938309499866153539135",
"307912810890181512801040894052772813296",
"189611905957374507448624773394606976868",
"105447646324184952699664628456817541077",
"238790267184876450952766661144039316918",
"107519145318719645088492067428705204606",
"311365077126974592880096119593789947386",
"18383409958669683693872832560413804000",
"193900921655983282260311206563709016259",
"155900556467340581638562149278436215136",
"303280644487842580894449288115290515634",
"189226641006336539347253808918597728521",
"57296105855688133673543616968398565851",
"324646719660595799696387046930502570997",
"274507731786217083215133352869189549657",
"84880509158841590819048289996517903053",
"96202166631456082560640138619707801791",
"285619204849235114340781744366089177664",
"294445636525961755173152315357305747926",
"45448457970605772795499196481639436504",
"274356089151688815308547825363852332811",
"4101707052291828914362282988781924495",
"312535018831752303018456045463633116199",
"20934177458706682977652632552226250351",
"295709569714211684686672812694577803323",
"152042753601120887287982624876568884545",
"171334760150498876297886728175231368870",
"196008560367467969620839691656272403315",
"128671758074485043358119921274849901102",
"192042583099698283631692109487456908166"
]
},
"signature_type": "Line",
"deprecated": false
},
{
"signature_version": "v1",
"target": {
"file": "source/windows/ConsoleRunner.cpp"
},
"id": "CVE-2021-3331-426cf398",
"source": "https://github.com/winscp/winscp/commit/faa96e8144e6925a380f94a97aa382c9427f688d",
"digest": {
"threshold": 0.9,
"line_hashes": [
"188360296815013934216503820024699197580",
"276621013194428610326949634688881233673",
"91191463078613693099713624369352097982",
"228904188269019230039042178068881493807"
]
},
"signature_type": "Line",
"deprecated": false
},
{
"signature_version": "v1",
"target": {
"function": "TSessionData::ApplyRawSettings",
"file": "source/core/SessionData.cpp"
},
"id": "CVE-2021-3331-6875894b",
"source": "https://github.com/winscp/winscp/commit/faa96e8144e6925a380f94a97aa382c9427f688d",
"digest": {
"function_hash": "97795987269290586649204002078844621975",
"length": 107.0
},
"signature_type": "Function",
"deprecated": false
},
{
"signature_version": "v1",
"target": {
"function": "TSessionData::ApplyRawSettings",
"file": "source/core/SessionData.cpp"
},
"id": "CVE-2021-3331-88a32e44",
"source": "https://github.com/winscp/winscp/commit/faa96e8144e6925a380f94a97aa382c9427f688d",
"digest": {
"function_hash": "320778972101065039553602546512872395126",
"length": 125.0
},
"signature_type": "Function",
"deprecated": false
},
{
"signature_version": "v1",
"target": {
"file": "source/windows/WinMain.cpp"
},
"id": "CVE-2021-3331-91726ad4",
"source": "https://github.com/winscp/winscp/commit/faa96e8144e6925a380f94a97aa382c9427f688d",
"digest": {
"threshold": 0.9,
"line_hashes": [
"61799172549534033488632509027791408502",
"128129507739850480709710435182086937510",
"103406054109065908815772229123609633726",
"128539668482954669812479620164085993039"
]
},
"signature_type": "Line",
"deprecated": false
},
{
"signature_version": "v1",
"target": {
"function": "Execute",
"file": "source/windows/WinMain.cpp"
},
"id": "CVE-2021-3331-a4d03366",
"source": "https://github.com/winscp/winscp/commit/faa96e8144e6925a380f94a97aa382c9427f688d",
"digest": {
"function_hash": "315272695593530936396859191673159745481",
"length": 9517.0
},
"signature_type": "Function",
"deprecated": false
},
{
"signature_version": "v1",
"target": {
"file": "source/core/SessionData.h"
},
"id": "CVE-2021-3331-a6dd110c",
"source": "https://github.com/winscp/winscp/commit/faa96e8144e6925a380f94a97aa382c9427f688d",
"digest": {
"threshold": 0.9,
"line_hashes": [
"300353745137450883046835776001430019113",
"281040630112681127968271638547778125074",
"92957012660873480322388691829308526248",
"86810102831465775912145191178432440148",
"266717168952754216972763577891547576675",
"64941853028390243761519974743938242505",
"276330210801717243505286988115008938364",
"322784763271861276997481763724221442241",
"112165353129900457805391667433098391167",
"156945876285787960835069136560746099627",
"324113364337306120911621812275593033731",
"137399255201701516116608338245915497347",
"92928728619870294746415528070918226006"
]
},
"signature_type": "Line",
"deprecated": false
},
{
"signature_version": "v1",
"target": {
"function": "TSessionData::DoLoad",
"file": "source/core/SessionData.cpp"
},
"id": "CVE-2021-3331-c27c4989",
"source": "https://github.com/winscp/winscp/commit/faa96e8144e6925a380f94a97aa382c9427f688d",
"digest": {
"function_hash": "37296633961317614869322489609244102752",
"length": 13561.0
},
"signature_type": "Function",
"deprecated": false
},
{
"signature_version": "v1",
"target": {
"function": "TSessionData::Load",
"file": "source/core/SessionData.cpp"
},
"id": "CVE-2021-3331-c3796831",
"source": "https://github.com/winscp/winscp/commit/faa96e8144e6925a380f94a97aa382c9427f688d",
"digest": {
"function_hash": "46000704055836172875422367123724397034",
"length": 959.0
},
"signature_type": "Function",
"deprecated": false
},
{
"signature_version": "v1",
"target": {
"function": "TSiteRawDialog::Execute",
"file": "source/forms/Custom.cpp"
},
"id": "CVE-2021-3331-d60536a3",
"source": "https://github.com/winscp/winscp/commit/faa96e8144e6925a380f94a97aa382c9427f688d",
"digest": {
"function_hash": "61460380650775228260335050947941517760",
"length": 1222.0
},
"signature_type": "Function",
"deprecated": false
}
]