Python/paramiko/0.9-fearow

SSH2 protocol library

Repo Link: https://pypi.org/project/paramiko
License: LGPL-3.0-or-later

3 Security Vulnerabilities

Paramiko not properly checking authentication before processing other requests

Published date: 2018-07-12T20:29:30Z

CVE: CVE-2018-7750

Links:

transport.py in the SSH server implementation of Paramiko before 1.17.6, 1.18.x before 1.18.5, 2.0.x before 2.0.8, 2.1.x before 2.1.5, 2.2.x before 2.2.3, 2.3.x before 2.3.2, and 2.4.x before 2.4.1 does not properly check whether authentication is completed before processing other requests, as demonstrated by channel-open. A customized SSH client can simply skip the authentication step.

Affected versions: ["1.10.1", "1.10.5", "1.16.1", "1.5.2", "1.10.0", "1.10.7", "1.13.1", "1.5.4", "1.7", "1.7.2", "0.1-bulbasaur", "0.9-doduo", "0.9-fearow", "1.10.3", "1.11.0", "1.14.2", "1.17.2", "1.3.1", "1.7.1", "1.7.5", "0.9-horsea", "1.1", "1.10.6", "1.11.1", "1.12.2", "1.14.0", "1.15.0", "1.15.3", "1.17.0", "1.17.1", "1.17.3", "1.3", "1.6.3", "1.7.7.1", "0.1-charmander", "0.9-eevee", "1.0", "1.10.2", "1.10.4", "1.15.1", "1.15.4", "1.17.5", "1.8.1", "0.9-gyarados", "1.12.0", "1.15.2", "1.16.2", "1.4", "1.5.1", "1.6.1", "1.11.3", "1.11.4", "1.12.1", "1.13.4", "1.17.4", "1.2", "1.6.2", "1.6.4", "1.7.6", "1.8.0", "1.9.0", "0.9-ivysaur", "1.11.2", "1.11.5", "1.11.6", "1.12.3", "1.12.4", "1.13.0", "1.13.2", "1.13.3", "1.14.1", "1.14.3", "1.15.5", "1.16.0", "1.16.3", "1.6", "1.7.4", "1.7.7.2", "1.18.2", "1.18.3", "1.18.1", "1.18.4", "1.18.0", "2.4.0", "2.3.1", "2.3.0", "2.2.0", "2.2.2", "2.2.1", "2.1.2", "2.1.4", "2.1.3", "2.1.0", "2.1.1", "2.0.1", "2.0.4", "2.0.6", "2.0.7", "2.0.0", "2.0.5", "2.0.3", "2.0.2"]

Secure versions: [5.0.0]

Recommendation: Update to version 5.0.0.

Paramiko rsakey.py allows the SHA-1 algorithm

Published date: 2026-05-06T00:31:33Z

CVE: CVE-2026-44405

Links:

In Paramiko through 4.0.0 before a448945, rsakey.py allows the SHA-1 algorithm.

Affected versions: ["1.10.1", "1.10.5", "1.16.1", "1.17.6", "1.5.2", "2.0.1", "2.0.4", "1.10.0", "1.10.7", "1.13.1", "1.18.2", "1.18.3", "1.5.4", "1.7", "1.7.2", "0.1-bulbasaur", "0.9-doduo", "0.9-fearow", "1.10.3", "1.11.0", "1.14.2", "1.17.2", "1.3.1", "1.7.1", "1.7.5", "0.9-horsea", "1.1", "1.10.6", "1.11.1", "1.12.2", "1.14.0", "1.15.0", "1.15.3", "1.17.0", "1.17.1", "1.17.3", "1.3", "1.6.3", "1.7.7.1", "2.0.6", "2.0.7", "2.0.8", "0.1-charmander", "0.9-eevee", "1.0", "1.10.2", "1.10.4", "1.15.1", "1.15.4", "1.17.5", "1.18.1", "1.18.4", "1.8.1", "2.0.0", "2.1.5", "2.1.6", "2.4.3", "2.5.1", "2.1.2", "2.1.4", "2.2.0", "2.2.4", "2.3.3", "0.9-gyarados", "1.12.0", "1.15.2", "1.16.2", "1.18.0", "1.4", "1.5.1", "1.6.1", "2.0.5", "2.1.3", "2.3.1", "2.5.0", "2.2.3", "2.6.0", "1.11.3", "1.11.4", "1.12.1", "1.13.4", "1.17.4", "1.18.5", "1.2", "1.6.2", "1.6.4", "1.7.6", "1.8.0", "1.9.0", "2.0.3", "2.0.9", "2.1.0", "2.3.0", "2.4.2", "2.7.1", "2.1.1", "2.2.2", "2.4.0", "2.7.2", "0.9-ivysaur", "1.11.2", "1.11.5", "1.11.6", "1.12.3", "1.12.4", "1.13.0", "1.13.2", "1.13.3", "1.14.1", "1.14.3", "1.15.5", "1.16.0", "1.16.3", "1.6", "1.7.4", "1.7.7.2", "2.0.2", "2.4.1", "2.7.0", "2.2.1", "2.3.2", "2.8.0", "2.8.1", "2.9.0", "2.9.1", "2.9.2", "2.10.0", "2.10.1", "2.10.2", "2.10.3", "2.9.3", "2.10.4", "2.9.4", "2.10.5", "2.11.0", "2.9.5", "2.10.6", "2.12.0", "2.11.1", "3.0.0", "3.1.0", "3.2.0", "3.3.1", "3.3.0", "3.4.0", "3.4.1", "3.3.2", "3.5.0", "3.5.1", "4.0.0"]

Secure versions: [5.0.0]

Recommendation: Update to version 5.0.0.

Paramiko Unsafe randomness usage may allow access to sensitive information

Published date: 2022-05-01T23:28:57Z

CVE: CVE-2008-0299

Links:

common.py in Paramiko 1.7.1 and earlier, when using threads or forked processes, does not properly use RandomPool, which allows one session to obtain sensitive information from another session by predicting the state of the pool.

Affected versions: ["1.5.2", "1.5.4", "1.7", "0.1-bulbasaur", "0.9-doduo", "0.9-fearow", "1.3.1", "1.7.1", "0.9-horsea", "1.1", "1.3", "1.6.3", "0.1-charmander", "0.9-eevee", "1.0", "0.9-gyarados", "1.4", "1.5.1", "1.6.1", "1.2", "1.6.2", "1.6.4", "0.9-ivysaur", "1.6"]

Secure versions: [5.0.0]

Recommendation: Update to version 5.0.0.

151 Other Versions

Version	License	Security	Released
5.0.0	UNKNOWN
4.0.0	UNKNOWN	1
3.5.1	LGPL-3.0-or-later	1	1970-01-01 - 00:00	over 56 years
3.5.0	LGPL-3.0-or-later	1	1970-01-01 - 00:00	over 56 years
3.4.1	LGPL-3.0-or-later	1	1970-01-01 - 00:00	over 56 years
3.4.0	LGPL-3.0-or-later	1	1970-01-01 - 00:00	over 56 years
3.3.2	LGPL-3.0-or-later	2	1970-01-01 - 00:00	over 56 years
3.3.1	LGPL-3.0-or-later	2	1970-01-01 - 00:00	over 56 years
3.3.0	LGPL-3.0-or-later	2	1970-01-01 - 00:00	over 56 years
3.2.0	LGPL-3.0-or-later	2	1970-01-01 - 00:00	over 56 years
3.1.0	LGPL-3.0-or-later	2	1970-01-01 - 00:00	over 56 years
3.0.0	LGPL-3.0-or-later	2	1970-01-01 - 00:00	over 56 years
2.12.0	LGPL-3.0-or-later	2	1970-01-01 - 00:00	over 56 years
2.11.1	LGPL-3.0-or-later	2	1970-01-01 - 00:00	over 56 years
2.11.0	LGPL-3.0-or-later	2	2022-05-17 - 01:07	about 4 years
2.10.6	LGPL-3.0-or-later	2	1970-01-01 - 00:00	over 56 years
2.10.5	LGPL-3.0-or-later	2	2022-05-17 - 01:04	about 4 years
2.10.4	LGPL-3.0-or-later	2	2022-04-25 - 18:21	about 4 years
2.10.3	LGPL-3.0-or-later	2	2022-03-18 - 21:03	over 4 years
2.10.2	LGPL-3.0-or-later	2	2022-03-14 - 23:27	over 4 years
2.10.1	LGPL-3.0-or-later	2	2022-03-12 - 04:23	over 4 years
2.10.0	LGPL-3.0-or-later	3	2022-03-12 - 03:45	over 4 years
2.9.5	LGPL-3.0-or-later	2	2022-05-17 - 01:02	about 4 years
2.9.4	LGPL-3.0-or-later	2	2022-04-25 - 16:24	about 4 years
2.9.3	LGPL-3.0-or-later	2	2022-03-18 - 21:01	over 4 years
2.9.2	LGPL-3.0-or-later	3	2022-01-08 - 19:30	over 4 years
2.9.1	LGPL-3.0-or-later	3	2021-12-24 - 19:54	over 4 years
2.9.0	LGPL-3.0-or-later	3	2021-12-23 - 22:46	over 4 years
2.8.1	LGPL-3.0-or-later	2	2021-11-29 - 03:58	over 4 years
2.8.0	LGPL-3.0-or-later	2	2021-10-09 - 21:45	over 4 years
2.7.2	LGPL-3.0-or-later	2	2020-08-30 - 19:56	almost 6 years
2.7.1	LGPL-3.0-or-later	2	2019-12-09 - 23:21	over 6 years
2.7.0	LGPL-3.0-or-later	2	2019-12-03 - 22:58	over 6 years
2.6.0	LGPL-3.0-or-later	2	2019-06-23 - 22:48	almost 7 years
2.5.1	LGPL-3.0-or-later	2	2019-06-23 - 22:47	almost 7 years
2.5.0	LGPL-3.0-or-later	2	2019-06-10 - 01:00	about 7 years
2.4.3	LGPL-3.0-or-later	1	2019-06-23 - 22:45	almost 7 years
2.4.2	LGPL-3.0-or-later	1	2018-09-19 - 04:22	over 7 years
2.4.1	LGPL-3.0-or-later	2	2018-03-13 - 01:30	over 8 years
2.4.0	LGPL-3.0-or-later	3	2017-11-14 - 22:21	over 8 years
2.3.3	LGPL-3.0-or-later	1	2018-09-19 - 04:21	over 7 years
2.3.2	LGPL-3.0-or-later	2	2018-03-13 - 01:30	over 8 years
2.3.1	LGPL-3.0-or-later	3	2017-09-22 - 20:16	over 8 years
2.3.0	LGPL-3.0-or-later	3	2017-09-18 - 19:18	over 8 years
2.2.4	LGPL-3.0-or-later	1	2018-09-19 - 04:21	over 7 years
2.2.3	LGPL-3.0-or-later	2	2018-03-13 - 01:28	over 8 years
2.2.2	LGPL-3.0-or-later	3	2017-09-18 - 19:17	over 8 years
2.2.1	LGPL-3.0-or-later	3	2017-06-13 - 20:14	about 9 years
2.2.0	LGPL-3.0-or-later	3	2017-06-09 - 22:10	about 9 years
2.1.6	LGPL-3.0-or-later	1	2018-09-19 - 04:20	over 7 years