Vulnerability Description
common.py in Paramiko 1.7.1 and earlier, when using threads or forked processes, does not properly use RandomPool, which allows one session to obtain sensitive information from another session by predicting the state of the pool.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Python Software Foundation | Paramiko | 1.7.1 |
References
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=460706
- http://people.debian.org/~nion/nmu-diff/paramiko-1.6.4-1_1.6.4-1.1.patchExploit
- http://secunia.com/advisories/28488
- http://secunia.com/advisories/28510
- http://secunia.com/advisories/29168
- http://security.gentoo.org/glsa/glsa-200803-07.xml
- http://www.lag.net/pipermail/paramiko/2008-January/000599.html
- http://www.securityfocus.com/bid/27307
- https://bugzilla.redhat.com/show_bug.cgi?id=428727
- https://exchange.xforce.ibmcloud.com/vulnerabilities/39749
- https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00529.ht
- https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00594.ht
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=460706
- http://people.debian.org/~nion/nmu-diff/paramiko-1.6.4-1_1.6.4-1.1.patchExploit
- http://secunia.com/advisories/28488
FAQ
What is CVE-2008-0299?
CVE-2008-0299 is a vulnerability with a CVSS score of 4.3 (MEDIUM). common.py in Paramiko 1.7.1 and earlier, when using threads or forked processes, does not properly use RandomPool, which allows one session to obtain sensitive information from another session by pred...
How severe is CVE-2008-0299?
CVE-2008-0299 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2008-0299?
Check the references section above for vendor advisories and patch information. Affected products include: Python Software Foundation Paramiko.