CVE-2008-0299: Infoleak
First published: Mon Jan 14 2008(Updated: )
common.py in Paramiko 1.7.1 and earlier, when using threads or forked processes, does not properly use RandomPool, which allows one session to obtain sensitive information from another session by predicting the state of the pool.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/1.7.1 | <3. | 3. |
| pip/paramiko | <=1.7.1-2 | 1.7.1-3 |
| Paramiko | =1.7.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://people.debian.org/~nion/nmu-diff/paramiko-1.6.4-1_1.6.4-1.1.patch
- http://www.lag.net/pipermail/paramiko/2008-January/000599.html
- https://bugzilla.redhat.com/show_bug.cgi?id=428727
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=460706
- https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00529.html
- https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00594.html
- http://www.securityfocus.com/bid/27307
- http://secunia.com/advisories/28488
- http://secunia.com/advisories/28510
- http://security.gentoo.org/glsa/glsa-200803-07.xml
- http://secunia.com/advisories/29168
- https://exchange.xforce.ibmcloud.com/vulnerabilities/39749
- https://nvd.nist.gov/vuln/detail/CVE-2008-0299
- https://web.archive.org/web/20080205095439/http://secunia.com/advisories/28488
- https://web.archive.org/web/20080627172450/http://secunia.com/advisories/28510
- https://web.archive.org/web/20080628232710/http://secunia.com/advisories/29168
- https://web.archive.org/web/20080720033315/http://www.lag.net/pipermail/paramiko/2008-January/000599.html
- https://web.archive.org/web/20081012023428/http://www.securityfocus.com/bid/27307
- https://github.com/advisories/GHSA-wqmm-q65g-2hqr (Advisory)
- https://github.com/pypa/advisory-database/tree/main/vulns/paramiko/PYSEC-2008-8.yaml
Frequently Asked Questions
What is the severity of CVE-2008-0299?
CVE-2008-0299 is classified as having moderate severity due to potential exposure of sensitive information between sessions.
How do I fix CVE-2008-0299?
To fix CVE-2008-0299, upgrade Paramiko to version 1.7.2 or later.
What are the affected versions for CVE-2008-0299?
CVE-2008-0299 affects Paramiko versions 1.7.1 and earlier.
What does CVE-2008-0299 exploit?
CVE-2008-0299 exploits a flaw in the RandomPool implementation in Paramiko, allowing session information leakage.
Which software contains CVE-2008-0299?
CVE-2008-0299 is found in Paramiko, specifically in version 1.7.1 and earlier.
- agent/type
- agent/first-publish-date
- agent/weakness
- agent/description
- agent/softwarecombine
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2008-0299
- agent/software-canonical-lookup
- agent/author
- collector/mitre-cve
- source/MITRE
- agent/event
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-wqmm-q65g-2hqr
- agent/last-modified-date
- agent/references
- agent/severity
- collector/github-advisory
- agent/trending
- agent/source
- agent/tags
- collector/nvd-historical
- agent/software-canonical-lookup-request
- collector/nvd-index
- collector/nvd-cve
- source/NVD
- package-manager/redhat
- package-manager/pip
- vendor/python software foundation
- canonical/paramiko
- version/paramiko/1.7.1