A vulnerability was discovered in JSch that allows a malicious sftp server to force a client-side relative path traversal in jsch's implementation for recursive sftp-get. An attacker could leverage this to write files outside the client's download basedir with effective permissions of the jsch sftp client process.
The following flaw was found in jsch:
A malicious sftp server may force a client-side relative path traversal in jsch's implementation for recursive sftp-get allowing the server to write files outside the clients download basedir with effective permissions of the jsch sftp client process.
This issue has been addressed in the following products:
Red Hat JBoss Fuse
Via RHSA-2017:3115 https://access.redhat.com/errata/RHSA-2017:3115
This was fixed upstream in version 0.1.54, as noted in the upstream release announcement:
Created attachment 1366981 [details]
There does not seem to be any public source repository for this project, hence attaching the relevant part of the diff between 0.1.53 and 0.1.54.
This issue only affected Windows and platforms where backslash character '\' is a valid filesystem path separator. Prior to the fix, a malicious sftp server could send a file with a name containing a sequence of ..\ which was then appended to the local destination directory name and resulted in the directory traversal on those platforms. The code prior to the patch attempted to locate the last occurrence of slash '/' in the server-provided name to extract base file name to append to the destination directory name. Therefore, directory traversal using ../ sequence was not possible.
The applied fix is more generic - it checks whether the constructed destination file name contains '..' and performs path name canonicalization if it does, followed by a check to ensure that the path does not point outside of the intended destination directory.