{"id":"CVE-2021-36370","details":"An issue was discovered in Midnight Commander through 4.8.26. When establishing an SFTP connection, the fingerprint of the server is neither checked nor displayed. As a result, a user connects to the server without the ability to verify its authenticity.","modified":"2026-04-16T04:33:19.174520194Z","published":"2021-08-30T19:15:08.917Z","related":["openSUSE-SU-2022:0061-1","openSUSE-SU-2024:11580-1"],"references":[{"type":"ADVISORY","url":"https://mail.gnome.org/archives/mc-devel/2021-August/msg00008.html"},{"type":"ADVISORY","url":"https://midnight-commander.org/"},{"type":"ADVISORY","url":"https://sourceforge.net/projects/mcwin32/files/"},{"type":"EVIDENCE","url":"https://docs.ssh-mitm.at/CVE-2021-36370.html"},{"type":"EVIDENCE","url":"https://github.com/MidnightCommander/mc/blob/5c1d3c55dd15356ec7d079084d904b7b0fd58d3e/src/vfs/sftpfs/connection.c#L484"},{"type":"EVIDENCE","url":"https://github.com/MidnightCommander/mc/blob/master/src/vfs/sftpfs/connection.c"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/midnightcommander/mc","events":[{"introduced":"0"},{"last_affected":"a88a626e76139259e5b6fc0db39045f051e243dd"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"4.8.26"}]}}],"versions":["4.6.1","4.6.2-pre1","4.6.99","4.6.99.1","4.6.99.2","4.6.99.3","4.7.0","4.7.0-pre1","4.7.0-pre2","4.7.0-pre3","4.7.0-pre4","4.7.0.1","4.7.1","4.7.2","4.7.3","4.7.4","4.7.5","4.7.5-pre1","4.8.0","4.8.0-pre1","4.8.0-pre2","4.8.1","4.8.10","4.8.11","4.8.12","4.8.13","4.8.14","4.8.15","4.8.16","4.8.17","4.8.18","4.8.19","4.8.2","4.8.20","4.8.21","4.8.22","4.8.23","4.8.24","4.8.25","4.8.26","4.8.3","4.8.4","4.8.5","4.8.6","4.8.7","4.8.8","4.8.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-36370.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}