MEDIUM 6.5 PyPI
Paramiko Unsafe randomness usage may allow access to sensitive information
GHSA-wqmm-q65g-2hqr · CVE-2008-0299 · PYSEC-2008-8
Published · Modified
Description
common.py in Paramiko 1.7.1 and earlier, when using threads or forked processes, does not properly use RandomPool, which allows one session to obtain sensitive information from another session by predicting the state of the pool.
References
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2008-0299
- WEB https://bugzilla.redhat.com/show_bug.cgi?id=428727
- WEB https://exchange.xforce.ibmcloud.com/vulnerabilities/39749
- PACKAGE https://github.com/paramiko/paramiko
- WEB https://github.com/pypa/advisory-database/tree/main/vulns/paramiko/PYSEC-2008-8.yaml
- WEB https://web.archive.org/web/20080205095439/http://secunia.com/advisories/28488
- WEB https://web.archive.org/web/20080627172450/http://secunia.com/advisories/28510
- WEB https://web.archive.org/web/20080628232710/http://secunia.com/advisories/29168
- WEB https://web.archive.org/web/20080720033315/http://www.lag.net/pipermail/paramiko/2008-January/000599.html
- WEB https://web.archive.org/web/20081012023428/http://www.securityfocus.com/bid/27307
- WEB https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00529.html
- WEB https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00594.html
- WEB http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=460706
- WEB http://people.debian.org/~nion/nmu-diff/paramiko-1.6.4-1_1.6.4-1.1.patch
- WEB http://security.gentoo.org/glsa/glsa-200803-07.xml
Ready to move
Start Securing
Free, no credit card | First findings in minutes