Python/paramiko/0.9-horsea

SSH2 protocol library

Repo Link: https://pypi.org/project/paramiko
License: LGPL-3.0-or-later

3 Security Vulnerabilities

Paramiko not properly checking authentication before processing other requests

Published date: 2018-07-12T20:29:30Z

CVE: CVE-2018-7750

Links:

transport.py in the SSH server implementation of Paramiko before 1.17.6, 1.18.x before 1.18.5, 2.0.x before 2.0.8, 2.1.x before 2.1.5, 2.2.x before 2.2.3, 2.3.x before 2.3.2, and 2.4.x before 2.4.1 does not properly check whether authentication is completed before processing other requests, as demonstrated by channel-open. A customized SSH client can simply skip the authentication step.

Affected versions: ["1.10.1", "1.10.5", "1.16.1", "1.5.2", "1.10.0", "1.10.7", "1.13.1", "1.5.4", "1.7", "1.7.2", "0.1-bulbasaur", "0.9-doduo", "0.9-fearow", "1.10.3", "1.11.0", "1.14.2", "1.17.2", "1.3.1", "1.7.1", "1.7.5", "0.9-horsea", "1.1", "1.10.6", "1.11.1", "1.12.2", "1.14.0", "1.15.0", "1.15.3", "1.17.0", "1.17.1", "1.17.3", "1.3", "1.6.3", "1.7.7.1", "0.1-charmander", "0.9-eevee", "1.0", "1.10.2", "1.10.4", "1.15.1", "1.15.4", "1.17.5", "1.8.1", "0.9-gyarados", "1.12.0", "1.15.2", "1.16.2", "1.4", "1.5.1", "1.6.1", "1.11.3", "1.11.4", "1.12.1", "1.13.4", "1.17.4", "1.2", "1.6.2", "1.6.4", "1.7.6", "1.8.0", "1.9.0", "0.9-ivysaur", "1.11.2", "1.11.5", "1.11.6", "1.12.3", "1.12.4", "1.13.0", "1.13.2", "1.13.3", "1.14.1", "1.14.3", "1.15.5", "1.16.0", "1.16.3", "1.6", "1.7.4", "1.7.7.2", "1.18.2", "1.18.3", "1.18.1", "1.18.4", "1.18.0", "2.4.0", "2.3.1", "2.3.0", "2.2.0", "2.2.2", "2.2.1", "2.1.2", "2.1.4", "2.1.3", "2.1.0", "2.1.1", "2.0.1", "2.0.4", "2.0.6", "2.0.7", "2.0.0", "2.0.5", "2.0.3", "2.0.2"]

Secure versions: [5.0.0]

Recommendation: Update to version 5.0.0.

Paramiko rsakey.py allows the SHA-1 algorithm

Published date: 2026-05-06T00:31:33Z

CVE: CVE-2026-44405

Links:

In Paramiko through 4.0.0 before a448945, rsakey.py allows the SHA-1 algorithm.

Affected versions: ["1.10.1", "1.10.5", "1.16.1", "1.17.6", "1.5.2", "2.0.1", "2.0.4", "1.10.0", "1.10.7", "1.13.1", "1.18.2", "1.18.3", "1.5.4", "1.7", "1.7.2", "0.1-bulbasaur", "0.9-doduo", "0.9-fearow", "1.10.3", "1.11.0", "1.14.2", "1.17.2", "1.3.1", "1.7.1", "1.7.5", "0.9-horsea", "1.1", "1.10.6", "1.11.1", "1.12.2", "1.14.0", "1.15.0", "1.15.3", "1.17.0", "1.17.1", "1.17.3", "1.3", "1.6.3", "1.7.7.1", "2.0.6", "2.0.7", "2.0.8", "0.1-charmander", "0.9-eevee", "1.0", "1.10.2", "1.10.4", "1.15.1", "1.15.4", "1.17.5", "1.18.1", "1.18.4", "1.8.1", "2.0.0", "2.1.5", "2.1.6", "2.4.3", "2.5.1", "2.1.2", "2.1.4", "2.2.0", "2.2.4", "2.3.3", "0.9-gyarados", "1.12.0", "1.15.2", "1.16.2", "1.18.0", "1.4", "1.5.1", "1.6.1", "2.0.5", "2.1.3", "2.3.1", "2.5.0", "2.2.3", "2.6.0", "1.11.3", "1.11.4", "1.12.1", "1.13.4", "1.17.4", "1.18.5", "1.2", "1.6.2", "1.6.4", "1.7.6", "1.8.0", "1.9.0", "2.0.3", "2.0.9", "2.1.0", "2.3.0", "2.4.2", "2.7.1", "2.1.1", "2.2.2", "2.4.0", "2.7.2", "0.9-ivysaur", "1.11.2", "1.11.5", "1.11.6", "1.12.3", "1.12.4", "1.13.0", "1.13.2", "1.13.3", "1.14.1", "1.14.3", "1.15.5", "1.16.0", "1.16.3", "1.6", "1.7.4", "1.7.7.2", "2.0.2", "2.4.1", "2.7.0", "2.2.1", "2.3.2", "2.8.0", "2.8.1", "2.9.0", "2.9.1", "2.9.2", "2.10.0", "2.10.1", "2.10.2", "2.10.3", "2.9.3", "2.10.4", "2.9.4", "2.10.5", "2.11.0", "2.9.5", "2.10.6", "2.12.0", "2.11.1", "3.0.0", "3.1.0", "3.2.0", "3.3.1", "3.3.0", "3.4.0", "3.4.1", "3.3.2", "3.5.0", "3.5.1", "4.0.0"]

Secure versions: [5.0.0]

Recommendation: Update to version 5.0.0.

Paramiko Unsafe randomness usage may allow access to sensitive information

Published date: 2022-05-01T23:28:57Z

CVE: CVE-2008-0299

Links:

common.py in Paramiko 1.7.1 and earlier, when using threads or forked processes, does not properly use RandomPool, which allows one session to obtain sensitive information from another session by predicting the state of the pool.

Affected versions: ["1.5.2", "1.5.4", "1.7", "0.1-bulbasaur", "0.9-doduo", "0.9-fearow", "1.3.1", "1.7.1", "0.9-horsea", "1.1", "1.3", "1.6.3", "0.1-charmander", "0.9-eevee", "1.0", "0.9-gyarados", "1.4", "1.5.1", "1.6.1", "1.2", "1.6.2", "1.6.4", "0.9-ivysaur", "1.6"]

Secure versions: [5.0.0]

Recommendation: Update to version 5.0.0.

151 Other Versions

Version	License	Security	Released
1.12.2	LGPL-3.0-or-later	3	2014-02-14 - 18:06	over 12 years
1.12.1	LGPL-3.0-or-later	3	2014-01-09 - 00:45	over 12 years
1.12.0	LGPL-3.0-or-later	3	2013-09-28 - 05:06	over 12 years
1.11.6	LGPL-3.0-or-later	3	2014-05-07 - 21:34	about 12 years
1.11.5	LGPL-3.0-or-later	3	2014-03-14 - 04:28	over 12 years
1.11.4	LGPL-3.0-or-later	3	2014-02-14 - 18:06	over 12 years
1.11.3	LGPL-3.0-or-later	3	2014-01-09 - 00:42	over 12 years
1.11.2	LGPL-3.0-or-later	3	2013-09-28 - 05:06	over 12 years
1.11.1	LGPL-3.0-or-later	3	2013-09-21 - 01:02	over 12 years
1.11.0	LGPL-3.0-or-later	3	2013-07-26 - 22:08	almost 13 years
1.10.7	LGPL-3.0-or-later	3	2014-03-14 - 04:26	over 12 years
1.10.6	LGPL-3.0-or-later	3	2014-02-14 - 18:06	over 12 years
1.10.5	LGPL-3.0-or-later	3	2014-01-09 - 00:42	over 12 years
1.10.4	LGPL-3.0-or-later	3	2013-09-28 - 05:04	over 12 years
1.10.3	LGPL-3.0-or-later	3	2013-09-21 - 00:56	over 12 years
1.10.2	LGPL-3.0-or-later	3	2013-07-26 - 22:08	almost 13 years
1.10.1	LGPL-3.0-or-later	3	2013-04-05 - 20:04	about 13 years
1.10.0	LGPL-3.0-or-later	3	2013-03-01 - 22:58	over 13 years
1.9.0	LGPL-3.0-or-later	3	2012-11-06 - 22:53	over 13 years
1.8.1	LGPL-3.0-or-later	3	2012-11-06 - 21:57	over 13 years
1.8.0	LGPL-3.0-or-later	3	2012-10-03 - 00:08	over 13 years
1.7.7.2	LGPL-3.0-or-later	3	2012-05-17 - 01:34	about 14 years
1.7.7.1	LGPL-3.0-or-later	3	2011-05-23 - 23:24	about 15 years
1.7.6	LGPL-3.0-or-later	3	2010-10-27 - 03:00	over 15 years
1.7.5	LGPL-3.0-or-later	3	2012-09-26 - 22:51	over 13 years
1.7.4	LGPL-3.0-or-later	3	2012-09-30 - 21:10	over 13 years
1.7.2	LGPL-3.0-or-later	3	2012-09-26 - 22:50	over 13 years
1.7.1	LGPL-3.0-or-later	4	2012-09-26 - 22:50	over 13 years
1.7	LGPL-3.0-or-later	4	2012-09-26 - 22:49	over 13 years
1.6.4	LGPL-3.0-or-later	4	2012-09-26 - 22:48	over 13 years
1.6.3	LGPL-3.0-or-later	4	2012-09-26 - 22:48	over 13 years
1.6.2	LGPL-3.0-or-later	4	2012-09-26 - 22:47	over 13 years
1.6.1	LGPL-3.0-or-later	4	2012-09-26 - 22:47	over 13 years
1.6	LGPL-3.0-or-later	4	2012-09-26 - 22:46	over 13 years
1.5.4	LGPL-3.0-or-later	4	2012-09-26 - 22:46	over 13 years
1.5.2	LGPL-3.0-or-later	4	2012-09-26 - 22:45	over 13 years
1.5.1	LGPL-3.0-or-later	4	2012-09-26 - 22:44	over 13 years
1.4	LGPL-3.0-or-later	3	2012-09-26 - 22:43	over 13 years
1.3.1	LGPL-3.0-or-later	3	2012-09-26 - 22:42	over 13 years
1.3	LGPL-3.0-or-later	3	2012-09-26 - 22:42	over 13 years
1.2	LGPL-3.0-or-later	3	2012-09-26 - 22:41	over 13 years
1.1	LGPL-3.0-or-later	3	2012-09-26 - 22:40	over 13 years
1.0	LGPL-3.0-or-later	3	2012-09-26 - 22:39	over 13 years
0.1-bulbasaur	LGPL-3.0-or-later	3	2012-09-26 - 22:31	over 13 years
0.9-doduo	LGPL-3.0-or-later	3	2012-09-26 - 22:33	over 13 years
0.9-fearow	LGPL-3.0-or-later	3	2012-09-26 - 22:35	over 13 years
0.9-horsea	LGPL-3.0-or-later	3	2012-09-26 - 22:38	over 13 years
0.1-charmander	LGPL-3.0-or-later	3	2012-09-26 - 22:33	over 13 years
0.9-eevee	LGPL-3.0-or-later	3	2012-09-26 - 22:35	over 13 years
0.9-gyarados	LGPL-3.0-or-later	3	2012-09-26 - 22:36	over 13 years