CVE-2021-36367

Summary

CVE	CVE-2021-36367
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2021-07-09 21:15:00 UTC
Updated	2023-12-24 18:15:00 UTC
Description	PuTTY through 0.75 proceeds with establishing an SSH session even if it has never sent a substantive authentication response. This makes it easier for an attacker-controlled SSH server to present a later spoofed authentication prompt (that the attacker can use to capture credential data, and use that data for purposes that are undesired by the client user).

Risk And Classification

Problem Types: CWE-345

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Putty	Putty	All	All	All	All

References

Reference	Source	Link	Tags
git.tartarus.org Git - simon/putty.git/commit		git.tartarus.org
www.chiark.greenend.org.uk/~sgtatham/putty/changes.html	MISC	www.chiark.greenend.org.uk
Debian -- Security Information -- DSA-5588-1 putty		www.debian.org
git.tartarus.org Git - simon/putty.git/commit	MISC	git.tartarus.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

183377 Debian Security Update for putty (CVE-2021-36367)
375759 Putty Multiple Security Vulnerabilities
500555 Alpine Linux Security Update for putty
504325 Alpine Linux Security Update for putty
6000402 Debian Security Update for putty (DSA 5588-1)