CVE-2008-0299
MEDIUM6.5EPSS 1.3%Paramiko Unsafe randomness usage may allow access to sensitive information
發布日:2022/5/1修改日:2026/4/28
描述
common.py in Paramiko 1.7.1 and earlier, when using threads or forked processes, does not properly use RandomPool, which allows one session to obtain sensitive information from another session by predicting the state of the pool.
受影響套件(3)
- Debian/paramikofrom 0, < 1.6.4-1.1
- PyPI/paramikofrom 0, < 1.7.1-3
- PyPI/paramikofrom 0, < 1.7.2
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
參考連結(21)
- ADVISORYhttp://secunia.com/advisories/28488
- ADVISORYhttp://secunia.com/advisories/28510
- ADVISORYhttp://secunia.com/advisories/29168
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2008-0299
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2008-0299
- PATCHhttps://github.com/paramiko/paramiko
- WEBhttp://bugs.debian.org/cgi-bin/bugreport.cgi?bug=460706
- WEBhttp://people.debian.org/~nion/nmu-diff/paramiko-1.6.4-1_1.6.4-1.1.patch
- WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=428727
- WEBhttp://security.gentoo.org/glsa/glsa-200803-07.xml
- WEBhttps://exchange.xforce.ibmcloud.com/vulnerabilities/39749
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/paramiko/PYSEC-2008-8.yaml
- WEBhttps://web.archive.org/web/20080205095439/http://secunia.com/advisories/28488
- WEBhttps://web.archive.org/web/20080627172450/http://secunia.com/advisories/28510
- WEBhttps://web.archive.org/web/20080628232710/http://secunia.com/advisories/29168
- WEBhttps://web.archive.org/web/20080720033315/http://www.lag.net/pipermail/paramiko/2008-January/000599.html
- WEBhttps://web.archive.org/web/20081012023428/http://www.securityfocus.com/bid/27307
- WEBhttps://www.redhat.com/archives/fedora-package-announce/2008-January/msg00529.html
- WEBhttps://www.redhat.com/archives/fedora-package-announce/2008-January/msg00594.html
- WEBhttp://www.lag.net/pipermail/paramiko/2008-January/000599.html
- WEBhttp://www.securityfocus.com/bid/27307