CVE-2013-4208

NONE
Published Aug 19, 201312y ago · Modified Jun 16, 20262w ago
Find Similar
Published Aug 19, 2013 12y ago
Last Modified Jun 16, 2026 2w ago

Description

The rsa_verify function in PuTTY before 0.63 (1) does not clear sensitive process memory after use and (2) does not free certain structures containing sensitive process memory, which might allow local users to discover private RSA and DSA keys.

Threat Intelligence

No active exploitation signals — not in CISA KEV and no EPSS score yet.

Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor Information Exposure

Affected Products 19

VendorProductVersionRange
puttyputty0.45any
puttyputty0.46any
puttyputty0.47any
puttyputty0.48any
puttyputty0.49any
puttyputty0.50any
puttyputty0.51any
puttyputty0.52any
puttyputty0.53bany
puttyputty0.54any
puttyputty0.55any
puttyputty0.56any
puttyputty0.57any
puttyputty0.58any
puttyputty0.59any
puttyputty0.60any
puttyputty0.61any
simon_tathamputty* ≤0.62
simon_tathamputty0.53any

References 6

  • lists.opensuse.org http://lists.opensuse.org/opensuse-updates/2013-08/msg00035.html
  • secunia.com http://secunia.com/advisories/54379
    Vendor Advisory
  • secunia.com http://secunia.com/advisories/54533
  • chiark.greenend.org.uk http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/private-key-not-wiped.html
  • debian.org http://www.debian.org/security/2013/dsa-2736
  • openwall.com http://www.openwall.com/lists/oss-security/2013/08/06/11

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.