CVE-2008-0299: Infoleak
First published: Mon Jan 14 2008(Updated: )
common.py in Paramiko 1.7.1 and earlier, when using threads or forked processes, does not properly use RandomPool, which allows one session to obtain sensitive information from another session by predicting the state of the pool.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Python Software Foundation Paramiko | =1.7.1 | |
| redhat/1.7.1 | <3. | 3. |
| pip/paramiko | <=1.7.1-2 | 1.7.1-3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://people.debian.org/~nion/nmu-diff/paramiko-1.6.4-1_1.6.4-1.1.patch
- http://www.lag.net/pipermail/paramiko/2008-January/000599.html
- https://bugzilla.redhat.com/show_bug.cgi?id=428727
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=460706
- https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00529.html
- https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00594.html
- http://www.securityfocus.com/bid/27307
- http://secunia.com/advisories/28488
- http://secunia.com/advisories/28510
- http://security.gentoo.org/glsa/glsa-200803-07.xml
- http://secunia.com/advisories/29168
- https://exchange.xforce.ibmcloud.com/vulnerabilities/39749
- https://nvd.nist.gov/vuln/detail/CVE-2008-0299
- https://web.archive.org/web/20080205095439/http://secunia.com/advisories/28488
- https://web.archive.org/web/20080627172450/http://secunia.com/advisories/28510
- https://web.archive.org/web/20080628232710/http://secunia.com/advisories/29168
- https://web.archive.org/web/20080720033315/http://www.lag.net/pipermail/paramiko/2008-January/000599.html
- https://web.archive.org/web/20081012023428/http://www.securityfocus.com/bid/27307
- https://github.com/advisories/GHSA-wqmm-q65g-2hqr (Advisory)
- https://github.com/pypa/advisory-database/tree/main/vulns/paramiko/PYSEC-2008-8.yaml
- collector/nvd-historical
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/weakness
- agent/severity
- agent/references
- agent/description
- agent/softwarecombine
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2008-0299
- agent/software-canonical-lookup
- collector/nvd-cve
- source/NVD
- agent/author
- collector/github-advisory
- source/GitHub
- alias/GHSA-wqmm-q65g-2hqr
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/tags
- agent/event
- collector/github-advisory-latest
- vendor/python software foundation
- canonical/python software foundation paramiko
- version/python software foundation paramiko/1.7.1
- package-manager/redhat
- package-manager/pip