PT-2013-5243 · Simon Tatham+1 · Putty+1

Gergely Eberhardt

Published

2013-08-09

Updated

2024-06-15

CVE-2013-4852

CVSS v2.0

6.8

Medium

Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions PuTTY versions 0.62 and earlier WinSCP versions prior to 5.1.6

Description The issue is related to an integer overflow that can occur when a remote SSH server sends a negative size value in an RSA key signature during the SSH handshake. This can trigger a heap-based buffer overflow, potentially allowing the execution of arbitrary code in certain applications that use PuTTY, and can cause a denial of service (crash).

Recommendations For PuTTY versions 0.62 and earlier, update to a version later than 0.62 to resolve the issue. For WinSCP versions prior to 5.1.6, update to version 5.1.6 or later to resolve the issue.

Fix

DoS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-189

Related Identifiers

CVE-2013-4852

DSA-2736-1

MGASA-2013-0242

OPENSUSE-SU-2024:10374-1

OPENSUSE-SU-2024:10399-1

Affected Products

Putty

Winscp

PT-2013-5243 · Simon Tatham+1 · Putty+1

CVE-2013-4852

Weakness Enumeration

Related Identifiers

Affected Products

References · 35