Fluid Attacks Database

Description

Paramiko Unsafe randomness usage may allow access to sensitive information common.py in Paramiko 1.7.1 and earlier, when using threads or forked processes, does not properly use RandomPool, which allows one session to obtain sensitive information from another session by predicting the state of the pool.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	paramiko	>=0 <1.6.4-1.1	1.6.4-1.1
debian 14	paramiko	>=0 <1.6.4-1.1	1.6.4-1.1
pypi	paramiko	>=0 <1.7.1-3	1.7.1-3
debian 13	paramiko	>=0 <1.6.4-1.1	1.6.4-1.1
debian 12	paramiko	>=0 <1.6.4-1.1	1.6.4-1.1

Aliases

1. CVE-2008-02992. NVD-2008-02993. OSV-DEBIAN-2008-02994. OSV-2008-02995. GCVE-2008-02996. SECURITY-TRACKER-CVE-2008-02997. security.gentoo.org

References

1. https://bugzilla.redhat.com/show_bug.cgi?id=4287272. https://exchange.xforce.ibmcloud.com/vulnerabilities/397493. https://github.com/pypa/advisory-database/tree/main/vulns/paramiko/PYSEC-2008-8.yaml4. https://web.archive.org/web/20080720033315/http://www.lag.net/pipermail/paramiko/2008-January/000599.html5. https://web.archive.org/web/20081012023428/http://www.securityfocus.com/bid/273076. https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00529.html7. https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00594.html8. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=4607069. http://people.debian.org/~nion/nmu-diff/paramiko-1.6.4-1_1.6.4-1.1.patch

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.