A malicious sftp server may force a client-side relative path traversal in jsch’s implementation for recursive sftp-get allowing the server to write files outside the clients download basedir with effective permissions of the jsch sftp client process. Versions 0.1.53 and below are affected.