Race Condition Affecting paramiko package, versions [,2.10.1)


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.31% (70th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Race Condition vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-PYTHON-PARAMIKO-2429583
  • published18 Mar 2022
  • disclosed18 Mar 2022
  • creditJan Schejbal, Jeremy Katz

Introduced: 18 Mar 2022

CVE-2022-24302  (opens in a new tab)
CWE-362  (opens in a new tab)

How to fix?

Upgrade paramiko to version 2.10.1 or higher.

Overview

paramiko is a library for making SSH2 connections (client or server).

Affected versions of this package are vulnerable to Race Condition when creating new private key files using ~paramiko.pkey.PKey subclasses, it is possible to be exploited in the process between file creation & mode modification via the write_private_key_file function.

CVSS Scores

version 3.1