CVE-2022-24302 (Medium) detected in paramiko-2.8.1-py2.py3-none-any.whl - autoclosed

[mend-bolt-for-github]

CVE-2022-24302 - Medium Severity Vulnerability

Vulnerable Library - paramiko-2.8.1-py2.py3-none-any.whl

SSH2 protocol library

Library home page: https://files.pythonhosted.org/packages/ba/e5/16e51472617cdcc90a4b9019543087f584a73b76d501d4b165abb7893fe9/paramiko-2.8.1-py2.py3-none-any.whl

Path to dependency file: /config/requirements.txt

Path to vulnerable library: /config/requirements.txt

Dependency Hierarchy:

• ❌ paramiko-2.8.1-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In Paramiko before 2.10.1, a race condition (between creation and chmod) in the write_private_key_file function could allow unauthorized information disclosure.

Publish Date: 2022-03-17

URL: CVE-2022-24302

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.paramiko.org/changelog.html

Release Date: 2022-03-17

Fix Resolution: 2.9.3

---

Step up your Open Source Security Game with Mend here

[mend-bolt-for-github]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

[mend-bolt-for-github]

ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.

[kbrock]

• ansible/netcommon requests paramiko==to 2.8.1
• security request is paramiko>=2.9.3

Going to pay attention to cve request.

requirements.rb will get confused in future b/c these 2 requirements are not technically compatible.

UPDATE: no idea why this is pegged down.
fixing

[mend-bolt-for-github]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.