CVE-2013-4208

The rsa_verify function in PuTTY before 0.63 (1) does not clear sensitive process memory after use and (2) does not free certain structures containing sensitive process memory, which might allow local users to discover private RSA and DSA keys.

Published: Aug 20, 2013
Updated: Apr 13, 2023
CVE: CVE-2013-4208
Severity: Low
Exploit:

CVSS v2:

Severity: Low
Score: 2.1
AV:L/AC:L/Au:N/C:P/I:N/A:N

CWEs:

CWE-200

Affected Software
References

Software	From	Fixed in
putty / putty	0.50	0.50.x
putty / putty	0.49	0.49.x
putty / putty	0.51	0.51.x
simon_tatham / putty	0.53	0.53.x
putty / putty	0.55	0.55.x
simon_tatham / putty	-	0.62.x
putty / putty	0.53b	0.53b.x
putty / putty	0.52	0.52.x
putty / putty	0.48	0.48.x
putty / putty	0.54	0.54.x
putty / putty	0.45	0.45.x
putty / putty	0.46	0.46.x
putty / putty	0.47	0.47.x
putty / putty	0.56	0.56.x
putty / putty	0.57	0.57.x
putty / putty	0.58	0.58.x
putty / putty	0.59	0.59.x
putty / putty	0.60	0.60.x
putty / putty	0.61	0.61.x

http://lists.opensuse.org/opensuse-updates/2013-08/msg00035.html
http://secunia.com/advisories/54379
http://secunia.com/advisories/54533
http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/private-key-not-wiped.html
http://www.debian.org/security/2013/dsa-2736
http://www.openwall.com/lists/oss-security/2013/08/06/11

Vulnerability Database

289,599

CVE-2013-4208