Vulnerability Details CVE-2020-14002
PuTTY 0.68 through 0.73 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client).
Exploit prediction scoring system (EPSS) score
EPSS Score 0.004
EPSS Ranking 58.8%
CVSS Severity
CVSS v3 Score 5.9
CVSS v2 Score 4.3
References
- https://lists.debian.org/debian-lts-announce/2024/04/msg00016.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/26TACCSQYYCPWAJYNAUIXJGZ5RGORJZV/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JPV4A77EDCT4BTFO5BE26ZH72BG4E5IJ/
- https://lists.tartarus.org/pipermail/putty-announce/
- https://security.netapp.com/advisory/ntap-20200717-0003/
- https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html
- https://www.fzi.de/en/news/news/detail-en/artikel/fsa-2020-2-ausnutzung-eines-informationslecks-fuer-gezielte-mitm-angriffe-auf-ssh-clients/
- https://lists.debian.org/debian-lts-announce/2024/04/msg00016.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/26TACCSQYYCPWAJYNAUIXJGZ5RGORJZV/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JPV4A77EDCT4BTFO5BE26ZH72BG4E5IJ/
- https://lists.tartarus.org/pipermail/putty-announce/
- https://security.netapp.com/advisory/ntap-20200717-0003/
- https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html
- https://www.fzi.de/en/news/news/detail-en/artikel/fsa-2020-2-ausnutzung-eines-informationslecks-fuer-gezielte-mitm-angriffe-auf-ssh-clients/
Products affected by CVE-2020-14002
-
cpe:2.3:a:netapp:oncommand_unified_manager_core_package:-
-
cpe:2.3:a:putty:putty:0.68
-
cpe:2.3:a:putty:putty:0.69
-
cpe:2.3:a:putty:putty:0.70
-
cpe:2.3:a:putty:putty:0.71
-
cpe:2.3:a:putty:putty:0.72
-
cpe:2.3:a:putty:putty:0.73
-
cpe:2.3:o:fedoraproject:fedora:31
-
cpe:2.3:o:fedoraproject:fedora:32