CVE-2011-4607 — Improper Restriction of Operations within the Bounds of a Memory Buffer in Putty

CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer6 documents6 sources

Severity

2.1LOWNVD

EPSS

0.1%

top 82.56%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Putty Debian Putty

Timeline

PublishedAug 23

Latest updateMay 14

Description

PuTTY 0.59 through 0.61 does not clear sensitive process memory when managing user replies that occur during keyboard-interactive authentication, which might allow local users to read login passwords by obtaining access to the process' memory.

CVSS vector

AV:L/AC:L/C:P/I:N/A:NExploitability: 3.9 | Impact: 2.9

Affected Packages3 packages

▶debiandebian/putty< putty 0.62-1 (bookworm)

▶Debianputty/putty< 0.62-1+3

▶NVDputty/putty0.59, 0.60, 0.61+2

🔴Vulnerability Details

GHSA

GHSA-h9rc-mm9p-hjjg: PuTTY 0↗2022-05-14

▶

CVEList

CVE-2011-4607: PuTTY 0↗2013-08-23

▶

OSV

CVE-2011-4607: PuTTY 0↗2013-08-23

▶

📋Vendor Advisories

Debian

CVE-2011-4607: putty - PuTTY 0.59 through 0.61 does not clear sensitive process memory when managing us...↗2011

▶

💬Community

Bugzilla

CVE-2011-4607 putty: keyboard-interactive replies are not wiped from memory after authentication↗2011-12-12

▶