First published: Mon Jun 29 2020(Updated: )
PuTTY 0.68 through 0.73 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client).
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
PuTTY | >=0.68<=0.73 | |
NetApp OnCommand Unified Manager for Windows | ||
Fedora | =31 | |
Fedora | =32 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-14002 is a vulnerability in PuTTY versions 0.68 through 0.73 that allows man-in-the-middle attackers to target initial connection attempts and leak information in the algorithm negotiation process.
PuTTY versions 0.68 through 0.73, NetApp OnCommand Unified Manager Core Package, and Fedora versions 31 and 32 are affected by CVE-2020-14002.
The severity of CVE-2020-14002 is medium with a CVSS score of 5.9.
An attacker can exploit CVE-2020-14002 by performing a man-in-the-middle attack during the initial connection attempt and intercepting the algorithm negotiation process to leak information.
Yes, it is recommended to update to the latest version of PuTTY (0.74 or higher) to mitigate the vulnerability.