CVE-2003-0069 — Improper Neutralization of Escape, Meta, or Control Sequences in Putty

CWE-150 — Improper Neutralization of Escape, Meta, or Control Sequences CWE-116 — Improper Encoding or Escaping of Output7 documents5 sources

Severity

8.8HIGHNVD

NVD7.5GHSA7.5OSV7.5

EPSS

0.3%

top 42.67%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Putty Github.com Mutagen-io Mutagen Github.com Mutagen-io Mutagen-compose +4 more

Timeline

PublishedMar 18

Latest updateMay 5

Description

The PuTTY terminal emulator 0.53 allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages8 packages

▶debiandebian/putty< putty 0.54-1 (bookworm)

▶Debianputty/putty< 0.54-1+3

▶NVDputty/putty0.53

▶NVDmutagen/mutagen< 0.16.6+1

▶NVDmutagen/mutagen_compose< 0.17.1

🔴Vulnerability Details

GHSA

Mutagen list and monitor operations do not neutralize control characters in text controlled by remote endpoints↗2023-05-05

▶

OSV

Mutagen list and monitor operations do not neutralize control characters in text controlled by remote endpoints↗2023-05-05

▶

GHSA

GHSA-cqhr-cfp6-qx66: The PuTTY terminal emulator 0↗2022-04-29

▶

OSV

CVE-2003-0069: The PuTTY terminal emulator 0↗2003-03-18

▶

📋Vendor Advisories

Debian

CVE-2003-0069: putty - The PuTTY terminal emulator 0.53 allows attackers to modify the window title via...↗2003

▶