CVE-2015-2157

The (1) ssh2_load_userkey and (2) ssh2_save_userkey functions in PuTTY 0.51 through 0.63 do not properly wipe SSH-2 private keys from memory, which allows local users to obtain sensitive information by reading the memory.

Published: Mar 27, 2015
Updated: Apr 13, 2023
CVE: CVE-2015-2157
Severity: Low
Exploit:

CVSS v2:

Severity: Low
Score: 2.1
AV:L/AC:L/Au:N/C:P/I:N/A:N

CWEs:

CWE-200

Affected Software
References

Software	From	Fixed in
fedoraproject / fedora	22	22.x
debian / debian_linux	7.0	7.0.x
fedoraproject / fedora	20	20.x
opensuse / opensuse	13.1	13.1.x
opensuse / opensuse	13.2	13.2.x
putty / putty	0.51	0.51.x
simon_tatham / putty	0.53	0.53.x
putty / putty	0.55	0.55.x
putty / putty	0.53b	0.53b.x
putty / putty	0.52	0.52.x
putty / putty	0.54	0.54.x
putty / putty	0.56	0.56.x
putty / putty	0.57	0.57.x
putty / putty	0.58	0.58.x
putty / putty	0.59	0.59.x
putty / putty	0.60	0.60.x
putty / putty	0.61	0.61.x
putty / putty	0.62	0.62.x
putty / putty	0.63	0.63.x

http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151790.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151839.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151933.html
http://lists.opensuse.org/opensuse-updates/2015-03/msg00032.html
http://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html
http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/private-key-not-wiped-2.html
http://www.debian.org/security/2015/dsa-3190
http://www.openwall.com/lists/oss-security/2015/02/28/4
http://www.openwall.com/lists/oss-security/2015/02/28/5
http://www.securityfocus.com/bid/72825

Vulnerability Database

289,599

CVE-2015-2157