CVE-2022-24302 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	5.9 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
mitre	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 64%

Vendor	Product	Version
paramiko	paramiko	𝑥 < 2.10.1
debian	debian_linux	9.0
debian	debian_linux	10.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

paramiko

bullseye	no-dsa
bookworm	2.12.0-2 fixed
sid	3.4.1-2 fixed
trixie	3.4.1-2 fixed

Ubuntu Releases

Ubuntu Product

Codename

paramiko

noble	Fixed 2.8.1-1ubuntu3 released
mantic	Fixed 2.8.1-1ubuntu3 released
lunar	Fixed 2.8.1-1ubuntu3 released
kinetic	Fixed 2.8.1-1ubuntu3 released
jammy	Fixed 2.8.1-1ubuntu3 released
impish	Fixed 2.7.2-1ubuntu1.1 released
focal	Fixed 2.6.0-2ubuntu0.1 released
bionic	Fixed 2.0.0-1ubuntu1.3 released
xenial	Fixed 1.16.0-1ubuntu0.2+esm2 released
trusty	needed

Known Exploits!

Common Weakness Enumeration

CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
The program contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.

References

https://github.com/paramiko/paramiko/blob/363a28d94cada17f012c1604a3c99c71a2bda003/paramiko/pkey.py#L546

https://lists.debian.org/debian-lts-announce/2022/03/msg00032.html

https://lists.debian.org/debian-lts-announce/2022/09/msg00013.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LUEUEGILZ7MQXRSUF5VMMO4SWJQVPTQL/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TPMKRUS4HO3P7NR7P4Y6CLHB4MBEE3AI/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U63MJ2VOLLQ35R7CYNREUHSXYLWNPVSB/

https://www.paramiko.org/changelog.html

https://github.com/paramiko/paramiko/blob/363a28d94cada17f012c1604a3c99c71a2bda003/paramiko/pkey.py#L546

https://lists.debian.org/debian-lts-announce/2022/03/msg00032.html

https://lists.debian.org/debian-lts-announce/2022/09/msg00013.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LUEUEGILZ7MQXRSUF5VMMO4SWJQVPTQL/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TPMKRUS4HO3P7NR7P4Y6CLHB4MBEE3AI/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U63MJ2VOLLQ35R7CYNREUHSXYLWNPVSB/

https://www.paramiko.org/changelog.html