Python/paramiko/1.7.1

SSH2 protocol library

Repo Link: https://pypi.org/project/paramiko
License: LGPL-3.0-or-later

4 Security Vulnerabilities

Paramiko not properly checking authentication before processing other requests

Published date: 2018-07-12T20:29:30Z

CVE: CVE-2018-7750

Links:

transport.py in the SSH server implementation of Paramiko before 1.17.6, 1.18.x before 1.18.5, 2.0.x before 2.0.8, 2.1.x before 2.1.5, 2.2.x before 2.2.3, 2.3.x before 2.3.2, and 2.4.x before 2.4.1 does not properly check whether authentication is completed before processing other requests, as demonstrated by channel-open. A customized SSH client can simply skip the authentication step.

Affected versions: ["1.10.1", "1.10.5", "1.16.1", "1.5.2", "1.10.0", "1.10.7", "1.13.1", "1.5.4", "1.7", "1.7.2", "0.1-bulbasaur", "0.9-doduo", "0.9-fearow", "1.10.3", "1.11.0", "1.14.2", "1.17.2", "1.3.1", "1.7.1", "1.7.5", "0.9-horsea", "1.1", "1.10.6", "1.11.1", "1.12.2", "1.14.0", "1.15.0", "1.15.3", "1.17.0", "1.17.1", "1.17.3", "1.3", "1.6.3", "1.7.7.1", "0.1-charmander", "0.9-eevee", "1.0", "1.10.2", "1.10.4", "1.15.1", "1.15.4", "1.17.5", "1.8.1", "0.9-gyarados", "1.12.0", "1.15.2", "1.16.2", "1.4", "1.5.1", "1.6.1", "1.11.3", "1.11.4", "1.12.1", "1.13.4", "1.17.4", "1.2", "1.6.2", "1.6.4", "1.7.6", "1.8.0", "1.9.0", "0.9-ivysaur", "1.11.2", "1.11.5", "1.11.6", "1.12.3", "1.12.4", "1.13.0", "1.13.2", "1.13.3", "1.14.1", "1.14.3", "1.15.5", "1.16.0", "1.16.3", "1.6", "1.7.4", "1.7.7.2", "1.18.2", "1.18.3", "1.18.1", "1.18.4", "1.18.0", "2.4.0", "2.3.1", "2.3.0", "2.2.0", "2.2.2", "2.2.1", "2.1.2", "2.1.4", "2.1.3", "2.1.0", "2.1.1", "2.0.1", "2.0.4", "2.0.6", "2.0.7", "2.0.0", "2.0.5", "2.0.3", "2.0.2"]

Secure versions: [5.0.0]

Recommendation: Update to version 5.0.0.

Paramiko Authentication Bypass vulnerability

Published date: 2018-10-10T16:10:10Z

CVE: CVE-2018-1000805

Links:

Paramiko version 2.4.1, 2.3.2, 2.2.3, 2.1.5, 2.0.8, 1.18.5, 1.17.6 contains a Incorrect Access Control vulnerability in SSH server that can result in RCE. This attack appear to be exploitable via network connectivity.

Secure versions: [5.0.0]

Recommendation: Update to version 5.0.0.

Paramiko rsakey.py allows the SHA-1 algorithm

Published date: 2026-05-06T00:31:33Z

CVE: CVE-2026-44405

Links:

In Paramiko through 4.0.0 before a448945, rsakey.py allows the SHA-1 algorithm.

Affected versions: ["1.10.1", "1.10.5", "1.16.1", "1.17.6", "1.5.2", "2.0.1", "2.0.4", "1.10.0", "1.10.7", "1.13.1", "1.18.2", "1.18.3", "1.5.4", "1.7", "1.7.2", "0.1-bulbasaur", "0.9-doduo", "0.9-fearow", "1.10.3", "1.11.0", "1.14.2", "1.17.2", "1.3.1", "1.7.1", "1.7.5", "0.9-horsea", "1.1", "1.10.6", "1.11.1", "1.12.2", "1.14.0", "1.15.0", "1.15.3", "1.17.0", "1.17.1", "1.17.3", "1.3", "1.6.3", "1.7.7.1", "2.0.6", "2.0.7", "2.0.8", "0.1-charmander", "0.9-eevee", "1.0", "1.10.2", "1.10.4", "1.15.1", "1.15.4", "1.17.5", "1.18.1", "1.18.4", "1.8.1", "2.0.0", "2.1.5", "2.1.6", "2.4.3", "2.5.1", "2.1.2", "2.1.4", "2.2.0", "2.2.4", "2.3.3", "0.9-gyarados", "1.12.0", "1.15.2", "1.16.2", "1.18.0", "1.4", "1.5.1", "1.6.1", "2.0.5", "2.1.3", "2.3.1", "2.5.0", "2.2.3", "2.6.0", "1.11.3", "1.11.4", "1.12.1", "1.13.4", "1.17.4", "1.18.5", "1.2", "1.6.2", "1.6.4", "1.7.6", "1.8.0", "1.9.0", "2.0.3", "2.0.9", "2.1.0", "2.3.0", "2.4.2", "2.7.1", "2.1.1", "2.2.2", "2.4.0", "2.7.2", "0.9-ivysaur", "1.11.2", "1.11.5", "1.11.6", "1.12.3", "1.12.4", "1.13.0", "1.13.2", "1.13.3", "1.14.1", "1.14.3", "1.15.5", "1.16.0", "1.16.3", "1.6", "1.7.4", "1.7.7.2", "2.0.2", "2.4.1", "2.7.0", "2.2.1", "2.3.2", "2.8.0", "2.8.1", "2.9.0", "2.9.1", "2.9.2", "2.10.0", "2.10.1", "2.10.2", "2.10.3", "2.9.3", "2.10.4", "2.9.4", "2.10.5", "2.11.0", "2.9.5", "2.10.6", "2.12.0", "2.11.1", "3.0.0", "3.1.0", "3.2.0", "3.3.1", "3.3.0", "3.4.0", "3.4.1", "3.3.2", "3.5.0", "3.5.1", "4.0.0"]

Secure versions: [5.0.0]

Recommendation: Update to version 5.0.0.

Paramiko Unsafe randomness usage may allow access to sensitive information

Published date: 2022-05-01T23:28:57Z

CVE: CVE-2008-0299

Links:

common.py in Paramiko 1.7.1 and earlier, when using threads or forked processes, does not properly use RandomPool, which allows one session to obtain sensitive information from another session by predicting the state of the pool.

Affected versions: ["1.5.2", "1.5.4", "1.7", "0.1-bulbasaur", "0.9-doduo", "0.9-fearow", "1.3.1", "1.7.1", "0.9-horsea", "1.1", "1.3", "1.6.3", "0.1-charmander", "0.9-eevee", "1.0", "0.9-gyarados", "1.4", "1.5.1", "1.6.1", "1.2", "1.6.2", "1.6.4", "0.9-ivysaur", "1.6"]

Secure versions: [5.0.0]

Recommendation: Update to version 5.0.0.

151 Other Versions

Version	License	Security	Released
2.1.5	LGPL-3.0-or-later	2	2018-03-13 - 01:27	over 8 years
2.1.4	LGPL-3.0-or-later	3	2017-09-18 - 19:16	over 8 years
2.1.3	LGPL-3.0-or-later	3	2017-06-09 - 22:09	about 9 years
2.1.2	LGPL-3.0-or-later	3	2017-02-21 - 05:24	over 9 years
2.1.1	LGPL-3.0-or-later	3	2016-12-13 - 00:13	over 9 years
2.1.0	LGPL-3.0-or-later	3	2016-12-09 - 18:49	over 9 years
2.0.9	LGPL-3.0-or-later	1	2018-09-19 - 04:19	over 7 years
2.0.8	LGPL-3.0-or-later	2	2018-03-13 - 01:22	over 8 years
2.0.7	LGPL-3.0-or-later	3	2017-09-18 - 19:14	over 8 years
2.0.6	LGPL-3.0-or-later	3	2017-06-09 - 22:07	about 9 years
2.0.5	LGPL-3.0-or-later	3	2017-02-21 - 05:20	over 9 years
2.0.4	LGPL-3.0-or-later	3	2016-12-13 - 00:11	over 9 years
2.0.3	LGPL-3.0-or-later	3	2016-12-09 - 18:45	over 9 years
2.0.2	LGPL-3.0-or-later	3	2016-07-26 - 04:15	almost 10 years
2.0.1	LGPL-3.0-or-later	3	2016-06-21 - 20:34	almost 10 years
2.0.0	LGPL-3.0-or-later	3	2016-04-29 - 05:17	about 10 years
1.18.5	LGPL-3.0-or-later	2	2018-03-13 - 01:21	over 8 years
1.18.4	LGPL-3.0-or-later	3	2017-09-18 - 19:13	over 8 years
1.18.3	LGPL-3.0-or-later	3	2017-06-09 - 22:03	about 9 years
1.18.2	LGPL-3.0-or-later	3	2017-02-21 - 05:17	over 9 years
1.18.1	LGPL-3.0-or-later	3	2016-12-13 - 00:08	over 9 years
1.18.0	LGPL-3.0-or-later	3	2016-12-09 - 18:43	over 9 years
1.17.6	LGPL-3.0-or-later	2	2018-03-13 - 01:21	over 8 years
1.17.5	LGPL-3.0-or-later	3	2017-06-09 - 21:42	about 9 years
1.17.4	LGPL-3.0-or-later	3	2017-02-21 - 05:13	over 9 years
1.17.3	LGPL-3.0-or-later	3	2016-12-09 - 18:46	over 9 years
1.17.2	LGPL-3.0-or-later	3	2016-07-26 - 04:15	almost 10 years
1.17.1	LGPL-3.0-or-later	3	2016-06-21 - 20:32	almost 10 years
1.17.0	LGPL-3.0-or-later	3	2016-04-29 - 05:15	about 10 years
1.16.3	LGPL-3.0-or-later	3	2016-07-26 - 04:14	almost 10 years
1.16.2	LGPL-3.0-or-later	3	2016-06-21 - 20:31	almost 10 years
1.16.1	LGPL-3.0-or-later	3	2016-04-29 - 05:11	about 10 years
1.16.0	LGPL-3.0-or-later	3	2015-11-05 - 22:59	over 10 years
1.15.5	LGPL-3.0-or-later	3	2016-04-29 - 05:09	about 10 years
1.15.4	LGPL-3.0-or-later	3	2015-11-03 - 02:09	over 10 years
1.15.3	LGPL-3.0-or-later	3	2015-10-02 - 23:28	over 10 years
1.15.2	LGPL-3.0-or-later	3	2014-12-19 - 23:01	over 11 years
1.15.1	LGPL-3.0-or-later	3	2014-09-22 - 18:34	over 11 years
1.15.0	LGPL-3.0-or-later	3	2014-09-18 - 23:57	over 11 years
1.14.3	LGPL-3.0-or-later	3	2015-11-03 - 02:06	over 10 years
1.14.2	LGPL-3.0-or-later	3	2014-12-19 - 22:58	over 11 years
1.14.1	LGPL-3.0-or-later	3	2014-08-26 - 07:04	almost 12 years
1.14.0	LGPL-3.0-or-later	3	2014-05-07 - 23:14	about 12 years
1.13.4	LGPL-3.0-or-later	3	2015-11-03 - 02:03	over 10 years
1.13.3	LGPL-3.0-or-later	3	2014-12-19 - 22:58	over 11 years
1.13.2	LGPL-3.0-or-later	3	2014-08-26 - 07:02	almost 12 years
1.13.1	LGPL-3.0-or-later	3	2014-05-07 - 22:29	about 12 years
1.13.0	LGPL-3.0-or-later	3	2014-03-14 - 04:31	over 12 years
1.12.4	LGPL-3.0-or-later	3	2014-05-07 - 21:55	about 12 years
1.12.3	LGPL-3.0-or-later	3	2014-03-14 - 04:31	over 12 years