CVE-2021-36367 — Insufficient Verification of Data Authenticity in Putty

CWE-345 — Insufficient Verification of Data Authenticity5 documents5 sources

Severity

8.1HIGHNVD

EPSS

0.1%

top 66.83%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Putty Debian Putty

Timeline

PublishedJul 9

Latest updateMay 24

Description

PuTTY through 0.75 proceeds with establishing an SSH session even if it has never sent a substantive authentication response. This makes it easier for an attacker-controlled SSH server to present a later spoofed authentication prompt (that the attacker can use to capture credential data, and use that data for purposes that are undesired by the client user).

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.2

Affected Packages3 packages

▶debiandebian/putty< putty 0.75-3 (bookworm)

▶Debianputty/putty< 0.74-1+deb11u1+3

▶NVDputty/putty0.75

🔴Vulnerability Details

GHSA

GHSA-wccm-6vx2-7p8c: PuTTY through 0↗2022-05-24

▶

OSV

CVE-2021-36367: PuTTY through 0↗2021-07-09

▶

📋Vendor Advisories

Debian

CVE-2021-36367: putty - PuTTY through 0.75 proceeds with establishing an SSH session even if it has neve...↗2021

▶

🕵️Threat Intelligence

Wiz

CVE-2026-4115 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶