CVE Vulnerabilities

CVE-2021-36367

Insufficient Verification of Data Authenticity

Published: Jul 09, 2021 | Modified: Apr 25, 2024
CVSS 3.x
8.1
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
CVSS 2.x
5.8 MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:N
RedHat/V2
RedHat/V3
Ubuntu
MEDIUM

PuTTY through 0.75 proceeds with establishing an SSH session even if it has never sent a substantive authentication response. This makes it easier for an attacker-controlled SSH server to present a later spoofed authentication prompt (that the attacker can use to capture credential data, and use that data for purposes that are undesired by the client user).

Weakness

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Affected Software

Name Vendor Start Version End Version
Putty Putty * 0.75 (including)
Putty Ubuntu bionic *
Putty Ubuntu groovy *
Putty Ubuntu hirsute *
Putty Ubuntu impish *
Putty Ubuntu kinetic *
Putty Ubuntu trusty *
Putty Ubuntu upstream *
Putty Ubuntu xenial *

References