CVE-2020-14002
First published: Mon Jun 29 2020(Updated: )
PuTTY 0.68 through 0.73 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client).
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Putty Putty | >=0.68<=0.73 | |
| NetApp OnCommand Unified Manager Core Package | ||
| Fedoraproject Fedora | =31 | |
| Fedoraproject Fedora | =32 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/26TACCSQYYCPWAJYNAUIXJGZ5RGORJZV/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JPV4A77EDCT4BTFO5BE26ZH72BG4E5IJ/
- https://lists.tartarus.org/pipermail/putty-announce/
- https://security.netapp.com/advisory/ntap-20200717-0003/
- https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html
- https://www.fzi.de/en/news/news/detail-en/artikel/fsa-2020-2-ausnutzung-eines-informationslecks-fuer-gezielte-mitm-angriffe-auf-ssh-clients/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/26TACCSQYYCPWAJYNAUIXJGZ5RGORJZV/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JPV4A77EDCT4BTFO5BE26ZH72BG4E5IJ/
- https://lists.debian.org/debian-lts-announce/2024/04/msg00016.html
Frequently Asked Questions
What is CVE-2020-14002?
CVE-2020-14002 is a vulnerability in PuTTY versions 0.68 through 0.73 that allows man-in-the-middle attackers to target initial connection attempts and leak information in the algorithm negotiation process.
What software is affected by CVE-2020-14002?
PuTTY versions 0.68 through 0.73, NetApp OnCommand Unified Manager Core Package, and Fedora versions 31 and 32 are affected by CVE-2020-14002.
What is the severity of CVE-2020-14002?
The severity of CVE-2020-14002 is medium with a CVSS score of 5.9.
How can an attacker exploit CVE-2020-14002?
An attacker can exploit CVE-2020-14002 by performing a man-in-the-middle attack during the initial connection attempt and intercepting the algorithm negotiation process to leak information.
Are there any fixes or patches available for CVE-2020-14002?
Yes, it is recommended to update to the latest version of PuTTY (0.74 or higher) to mitigate the vulnerability.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/weakness
- agent/references
- agent/tags
- agent/author
- agent/description
- agent/first-publish-date
- agent/event
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- vendor/putty
- canonical/putty putty
- version/putty putty/0.68
- version/putty putty/0.73
- vendor/netapp
- canonical/netapp oncommand unified manager core package
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/31
- version/fedoraproject fedora/32