CVE-2013-4208 — Sensitive Information Exposure in Tatham Putty

CWE-200 — Sensitive Information Exposure6 documents6 sources

Severity

2.1LOWNVD

EPSS

0.1%

top 80.54%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Filezilla Putty Simon Tatham Putty

Timeline

PublishedAug 19

Latest updateMay 14

Description

The rsa_verify function in PuTTY before 0.63 (1) does not clear sensitive process memory after use and (2) does not free certain structures containing sensitive process memory, which might allow local users to discover private RSA and DSA keys.

CVSS vector

AV:L/AC:L/C:P/I:N/A:NExploitability: 3.9 | Impact: 2.9

Affected Packages4 packages

▶Debianputty/putty< 0.63-1+3

▶NVDsimon_tatham/putty0.62+1

▶NVDputty/putty17 versions+16

▶Debianfilezilla/filezilla< 3.7.3-1+3

🔴Vulnerability Details

GHSA

GHSA-gpf3-9fhm-cfpr: The rsa_verify function in PuTTY before 0↗2022-05-14

▶

OSV

CVE-2013-4208: The rsa_verify function in PuTTY before 0↗2013-08-19

▶

CVEList

CVE-2013-4208: The rsa_verify function in PuTTY before 0↗2013-08-19

▶

📋Vendor Advisories

Debian

CVE-2013-4208: filezilla - The rsa_verify function in PuTTY before 0.63 (1) does not clear sensitive proces...↗2013

▶

💬Community

Bugzilla

CVE-2013-4206 CVE-2013-4207 CVE-2013-4208 CVE-2013-4852 putty: Integer overflow, leading to heap-based buffer overflow during SSH handshake↗2013-08-05

▶