CVE-2015-2157

NONE EPSS 43.6%
Published Mar 27, 201511y ago · Modified Jun 17, 20262w ago
Find Similar
Published Mar 27, 2015 11y ago
Last Modified Jun 17, 2026 2w ago

Description

The (1) ssh2_load_userkey and (2) ssh2_save_userkey functions in PuTTY 0.51 through 0.63 do not properly wipe SSH-2 private keys from memory, which allows local users to obtain sensitive information by reading the memory.

Threat Intelligence

EPSS Exploit Probability
43.6% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor Information Exposure

Affected Products 19

VendorProductVersionRange
debiandebian_linux7.0any
fedoraprojectfedora20any
fedoraprojectfedora22any
opensuseopensuse13.1any
opensuseopensuse13.2any
puttyputty0.51any
puttyputty0.52any
puttyputty0.53bany
puttyputty0.54any
puttyputty0.55any
puttyputty0.56any
puttyputty0.57any
puttyputty0.58any
puttyputty0.59any
puttyputty0.60any
puttyputty0.61any
puttyputty0.62any
puttyputty0.63any
simon_tathamputty0.53any

References 10

Remediation

  • chiark.greenend.org.uk http://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html
    PatchVendor Advisory
  • chiark.greenend.org.uk http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/private-key-not-wiped-2.html
    PatchVendor Advisory