CVE-2015-2157Sensitive Information Exposure in Putty

CWE-200Sensitive Information Exposure8 documents6 sources
Severity
2.1LOWNVD
EPSS
0.1%
top 68.14%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
PuttyDebian LinuxFedoraproject Fedora+2 more
Timeline
PublishedMar 27
Latest updateMay 14

Description

The (1) ssh2_load_userkey and (2) ssh2_save_userkey functions in PuTTY 0.51 through 0.63 do not properly wipe SSH-2 private keys from memory, which allows local users to obtain sensitive information by reading the memory.

CVSS vector

AV:L/AC:L/C:P/I:N/A:NExploitability: 3.9 | Impact: 2.9

Affected Packages4 packages

Debianputty/putty< 0.63-10+3
NVDputty/putty13 versions+12
NVDopensuse/opensuse13.1, 13.2+1

Also affects: Debian Linux 7.0, Fedora 20, 22

Patches

Patch: www.chiark.greenend.org.ukPatch: www.chiark.greenend.org.ukPatch: www.chiark.greenend.org.uk

🔴Vulnerability Details

3
GHSA
GHSA-cmw5-crx2-gx7r: The (1) ssh2_load_userkey and (2) ssh2_save_userkey functions in PuTTY 02022-05-14
CVEList
CVE-2015-2157: The (1) ssh2_load_userkey and (2) ssh2_save_userkey functions in PuTTY 02015-03-27
OSV
CVE-2015-2157: The (1) ssh2_load_userkey and (2) ssh2_save_userkey functions in PuTTY 02015-03-27

📋Vendor Advisories

1
Debian
CVE-2015-2157: putty - The (1) ssh2_load_userkey and (2) ssh2_save_userkey functions in PuTTY 0.51 thro...2015

💬Community

3
Bugzilla
CVE-2015-2157 putty: failure to scrub private keys from memory after use2015-03-03
Bugzilla
CVE-2015-2157 putty: failure to scrub private keys from memory after use [fedora-all]2015-03-03
Bugzilla
CVE-2015-2157 putty: failure to scrub private keys from memory after use [epel-all]2015-03-03
CVE-2015-2157 — Sensitive Information Exposure in Putty | cvebase