Vulnerability Description
PuTTY through 0.75 proceeds with establishing an SSH session even if it has never sent a substantive authentication response. This makes it easier for an attacker-controlled SSH server to present a later spoofed authentication prompt (that the attacker can use to capture credential data, and use that data for purposes that are undesired by the client user).
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Putty | Putty | <= 0.75 |
Related Weaknesses (CWE)
References
- https://git.tartarus.org/?p=simon/putty.git%3Ba=commit%3Bh=1dc5659aa62848f0aeb5d
- https://lists.debian.org/debian-lts-announce/2024/04/msg00016.html
- https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.htmlRelease NotesThird Party Advisory
- https://www.debian.org/security/2023/dsa-5588
- https://git.tartarus.org/?p=simon/putty.git%3Ba=commit%3Bh=1dc5659aa62848f0aeb5d
- https://lists.debian.org/debian-lts-announce/2024/04/msg00016.html
- https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.htmlRelease NotesThird Party Advisory
- https://www.debian.org/security/2023/dsa-5588
FAQ
What is CVE-2021-36367?
CVE-2021-36367 is a vulnerability with a CVSS score of 8.1 (HIGH). PuTTY through 0.75 proceeds with establishing an SSH session even if it has never sent a substantive authentication response. This makes it easier for an attacker-controlled SSH server to present a la...
How severe is CVE-2021-36367?
CVE-2021-36367 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-36367?
Check the references section above for vendor advisories and patch information. Affected products include: Putty Putty.