Information disclosure in putty (Alpine package)
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2015-2157 |
| CWE-ID | CWE-200 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software Subscribe |
putty (Alpine package) Operating systems & Components / Operating system package or component |
| Vendor | Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Information disclosure
EUVDB-ID: #VU32444
Risk: Low
CVSSv3.1: 3.5 [CVSS:3.1/CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2015-2157
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a local non-authenticated attacker to gain access to sensitive information.
The (1) ssh2_load_userkey and (2) ssh2_save_userkey functions in PuTTY 0.51 through 0.63 do not properly wipe SSH-2 private keys from memory, which allows local users to obtain sensitive information by reading the memory.
MitigationInstall update from vendor's website.
Vulnerable software versionsputty (Alpine package): 0.62-r0 - 0.63-r0
CPE2.3- cpe:2.3:o:alpine:putty_alpine_package:0.63-r0:*:*:*:*:alpine_linux:*:
- cpe:2.3:o:alpine:putty_alpine_package:0.62-r0:*:*:*:*:alpine_linux:*:
http://git.alpinelinux.org/aports/commit/?id=184fa95a5203e579a2caf369ba629f37afa69f78
http://git.alpinelinux.org/aports/commit/?id=9885c3b5660ce50d2488f415c585d76c07549119
http://git.alpinelinux.org/aports/commit/?id=6f8fd5790b15b5ed3e564dc49226d2ae6bc81138
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
