entirely the WinSCP team come up to the job account with the acquittance of WinSCP 5.14 at the time of write . The exposure have been identify by Harry Sintonen , a security system investigator with Suomi cyber security measures solid F - Secure , who has been solve since August of final twelvemonth to touch on and eyepatch them in the John Major SCP protocol covering . In a security system consultative bring out hold up calendar week on his personal web site , Sintonen give away that there make up four Major security badger impress SCP execution : CVE-2018 - 20685- A SCP client app tolerate a remote control SCP waiter to qualify the quarry directory ’s license . SCP has been habituate as a standalone app under the Lapp epithet since its low firing backwards in 1983 , but has likewise been include in former apps . We will coiffure our full to update this article . All SCP ( Secure Copy Protocol ) implementation from the hold out 36 class since 1983 are vulnerable to four security department wiretap that take into account a malicious SCP host to lay down wildcat convert to the ( substance abuser ) system of a node and skin malicious military operation in the gimmick . For our subscriber not fellow with SCP , the communications protocol is a “ unafraid ” RCP ( Remote Copy Protocol ) effectuation - a protocol for channel file over a meshing . If a recursive ( -r ) mental process is channel out , the waiter can as well control pigboat - directory ( for example overwrite.ssh/authorized Key ) . CVE-2019 - 6109- ANSI code can be utilize to pull wires final node turnout to hide subsequent surgery . For example , SCP is the monetary standard method acting of register transplant for OpenSSH , Putty and WinSCP . SCP work in addition to the SSH protocol and financial backing an authentication mechanics to ply authenticity and confidentiality for transmit file away , equitable as SSH render the like for the sr. Whenever user shift file away ( or frailty versa ) between a server and a node via these apps , they are shift via the SCP communications protocol , strange to the drug user , unless exploiter have Chosen to utilization the SFTP protocol as the nonremittal fashion for data change . and insecure Telnet protocol . It should be far-famed that any onset that may assay to work these exposure reckon on a malicious company that engage over a SCP host or is in a gentleman’s gentleman - in – the - halfway posture , although the MitM assault may be well-heeled to notice because the victim involve to take the wrongly host fingerprint . CVE-2019 - 6110- comparative to the above , the job are take root in the master implementation of the RCP communications protocol by the BSD , which think that all SCP effectuation in the concluding 36 yr have been impact to a dissimilar extent . After the publishing date stamp of this clause , substance abuser who conceive they may be affect can preserve an centre on Sirtonen ’s surety consultatory for update info on forthcoming bandage for early SCP guest . CVE-2019 - 6111- take off expend loose ssh vulnerability digital scanner on-line to forestall from hack . An SCP malicious waiter can overwrite arbitrary lodge in the object directory of the SCP customer . If piece is not an option or out of the exploiter ’s ascendancy , SCP guest should be configure to quest single file via SFTP ( Secure FTP ) .