CVE-2020-14002

PuTTY 0.68 through 0.73 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client).

Published: Jun 29, 2020
Updated: Apr 13, 2023
CVE: CVE-2020-14002
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.9
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:P/I:N/A:N

CWEs:

CWE-203

Affected Software
References

Software	From	Fixed in
putty / putty	0.68	0.73.x
fedoraproject / fedora	31	31.x
fedoraproject / fedora	32	32.x

https://lists.debian.org/debian-lts-announce/2024/04/msg00016.html
https://lists.fedoraproject.org/archives/list/[email protected]/message/26TACCSQYYCPWAJYNAUIXJGZ5RGORJZV/
https://lists.fedoraproject.org/archives/list/[email protected]/message/JPV4A77EDCT4BTFO5BE26ZH72BG4E5IJ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/26TACCSQYYCPWAJYNAUIXJGZ5RGORJZV/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JPV4A77EDCT4BTFO5BE26ZH72BG4E5IJ/
https://lists.tartarus.org/pipermail/putty-announce/
https://security.netapp.com/advisory/ntap-20200717-0003/
https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html
https://www.fzi.de/en/news/news/detail-en/artikel/fsa-2020-2-ausnutzung-eines-informationslecks-fuer-gezielte-mitm-angriffe-auf-ssh-clients/

Vulnerability Database

289,599

CVE-2020-14002