GHSA-wqmm-q65g-2hqr

Source

https://github.com/advisories/GHSA-wqmm-q65g-2hqr

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-wqmm-q65g-2hqr/GHSA-wqmm-q65g-2hqr.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-wqmm-q65g-2hqr

Aliases

Published

2022-05-01T23:28:57Z

Modified

2024-10-08T13:23:18.317479Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
7.1 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Paramiko Unsafe randomness usage may allow access to sensitive information

Details

common.py in Paramiko 1.7.1 and earlier, when using threads or forked processes, does not properly use RandomPool, which allows one session to obtain sensitive information from another session by predicting the state of the pool.

Database specific

{
    "nvd_published_at": "2008-01-16T23:00:00Z",
    "cwe_ids": [
        "CWE-200"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-09T19:42:59Z"
}

References

Affected packages

PyPI / paramiko

Package

Name: paramiko; View open source insights on deps.dev
Purl: pkg:pypi/paramiko

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.7.1-3

Affected versions

0.*

0.1-bulbasaur

0.1-charmander

0.9-doduo

0.9-eevee

0.9-fearow

0.9-gyarados

0.9-horsea

0.9-ivysaur

1.*

1.0

1.1

1.2

1.3

1.3.1

1.4

1.5.1

1.5.2

1.5.4

1.6

1.6.1

1.6.2

1.6.3

1.6.4

1.7

1.7.1

Database specific

{
    "last_known_affected_version_range": "<= 1.7.1-2"
}