cve-2011-4607
Vulnerability from cvelistv5
Published
2013-08-23 16:00
Modified
2024-09-16 18:04
Severity ?
Summary
PuTTY 0.59 through 0.61 does not clear sensitive process memory when managing user replies that occur during keyboard-interactive authentication, which might allow local users to read login passwords by obtaining access to the process' memory.
References
secalert@redhat.comhttp://seclists.org/oss-sec/2011/q4/499
secalert@redhat.comhttp://seclists.org/oss-sec/2011/q4/500
secalert@redhat.comhttp://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/password-not-wiped.htmlVendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://seclists.org/oss-sec/2011/q4/499
af854a3a-2127-422b-91ae-364da2661108http://seclists.org/oss-sec/2011/q4/500
af854a3a-2127-422b-91ae-364da2661108http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/password-not-wiped.htmlVendor Advisory
Impacted products
Vendor Product Version
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-07T00:09:19.403Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "[oss-security] 20111212 Re: CVE request: putty does not wipe keyboard-interactive replies from memory after authentication",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://seclists.org/oss-sec/2011/q4/500"
          },
          {
            "name": "[oss-security] 20111212 CVE request: putty does not wipe keyboard-interactive replies from memory after authentication",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://seclists.org/oss-sec/2011/q4/499"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/password-not-wiped.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "PuTTY 0.59 through 0.61 does not clear sensitive process memory when managing user replies that occur during keyboard-interactive authentication, which might allow local users to read login passwords by obtaining access to the process\u0027 memory."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2013-08-23T16:00:00Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "[oss-security] 20111212 Re: CVE request: putty does not wipe keyboard-interactive replies from memory after authentication",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://seclists.org/oss-sec/2011/q4/500"
        },
        {
          "name": "[oss-security] 20111212 CVE request: putty does not wipe keyboard-interactive replies from memory after authentication",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://seclists.org/oss-sec/2011/q4/499"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/password-not-wiped.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2011-4607",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "PuTTY 0.59 through 0.61 does not clear sensitive process memory when managing user replies that occur during keyboard-interactive authentication, which might allow local users to read login passwords by obtaining access to the process\u0027 memory."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "[oss-security] 20111212 Re: CVE request: putty does not wipe keyboard-interactive replies from memory after authentication",
              "refsource": "MLIST",
              "url": "http://seclists.org/oss-sec/2011/q4/500"
            },
            {
              "name": "[oss-security] 20111212 CVE request: putty does not wipe keyboard-interactive replies from memory after authentication",
              "refsource": "MLIST",
              "url": "http://seclists.org/oss-sec/2011/q4/499"
            },
            {
              "name": "http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/password-not-wiped.html",
              "refsource": "CONFIRM",
              "url": "http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/password-not-wiped.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2011-4607",
    "datePublished": "2013-08-23T16:00:00Z",
    "dateReserved": "2011-11-29T00:00:00Z",
    "dateUpdated": "2024-09-16T18:04:01.003Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:putty:putty:0.59:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"8B33EB10-535F-42F2-8F78-CE128A89447C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:putty:putty:0.60:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"218F9EAF-C260-43EC-99C4-EFACA9A1DA8D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:putty:putty:0.61:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"5966235B-2F1A-45C5-AF65-99FFFE4725DF\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"PuTTY 0.59 through 0.61 does not clear sensitive process memory when managing user replies that occur during keyboard-interactive authentication, which might allow local users to read login passwords by obtaining access to the process\u0027 memory.\"}, {\"lang\": \"es\", \"value\": \"PuTTY v0.59 hasta v0.61 no borra la memoria de procesos sensibles en la gesti\\u00f3n de las respuestas del usuario que se producen durante la autenticaci\\u00f3n interactiva por teclado, lo que podr\\u00eda permitir a usuarios locales leer las contrase\\u00f1as de inicio de sesi\\u00f3n mediante la obtenci\\u00f3n de acceso a la memoria del proceso.\"}]",
      "id": "CVE-2011-4607",
      "lastModified": "2024-11-21T01:32:39.080",
      "metrics": "{\"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:L/AC:L/Au:N/C:P/I:N/A:N\", \"baseScore\": 2.1, \"accessVector\": \"LOCAL\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"LOW\", \"exploitabilityScore\": 3.9, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2013-08-23T16:55:06.907",
      "references": "[{\"url\": \"http://seclists.org/oss-sec/2011/q4/499\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://seclists.org/oss-sec/2011/q4/500\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/password-not-wiped.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://seclists.org/oss-sec/2011/q4/499\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://seclists.org/oss-sec/2011/q4/500\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/password-not-wiped.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "secalert@redhat.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-119\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2011-4607\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2013-08-23T16:55:06.907\",\"lastModified\":\"2024-11-21T01:32:39.080\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"PuTTY 0.59 through 0.61 does not clear sensitive process memory when managing user replies that occur during keyboard-interactive authentication, which might allow local users to read login passwords by obtaining access to the process\u0027 memory.\"},{\"lang\":\"es\",\"value\":\"PuTTY v0.59 hasta v0.61 no borra la memoria de procesos sensibles en la gesti\u00f3n de las respuestas del usuario que se producen durante la autenticaci\u00f3n interactiva por teclado, lo que podr\u00eda permitir a usuarios locales leer las contrase\u00f1as de inicio de sesi\u00f3n mediante la obtenci\u00f3n de acceso a la memoria del proceso.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:L/AC:L/Au:N/C:P/I:N/A:N\",\"baseScore\":2.1,\"accessVector\":\"LOCAL\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"LOW\",\"exploitabilityScore\":3.9,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-119\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:putty:putty:0.59:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8B33EB10-535F-42F2-8F78-CE128A89447C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:putty:putty:0.60:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"218F9EAF-C260-43EC-99C4-EFACA9A1DA8D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:putty:putty:0.61:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5966235B-2F1A-45C5-AF65-99FFFE4725DF\"}]}]}],\"references\":[{\"url\":\"http://seclists.org/oss-sec/2011/q4/499\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://seclists.org/oss-sec/2011/q4/500\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/password-not-wiped.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://seclists.org/oss-sec/2011/q4/499\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://seclists.org/oss-sec/2011/q4/500\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/password-not-wiped.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.