Vulnerability Name:

CVE-2013-4207 (CCN-86267)

Assigned:2013-08-06
Published:2013-08-06
Updated:2021-08-06
Summary:Buffer overflow in sshbn.c in PuTTY before 0.63 allows remote SSH servers to cause a denial of service (crash) via an invalid DSA signature that is not properly handled during computation of a modular inverse and triggers the overflow during a division by zero by the bignum functionality, a different vulnerability than CVE-2013-4206.
CVSS v3 Severity:7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): Low
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P)
3.2 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
7.5 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
5.5 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
Vulnerability Type:CWE-119
Vulnerability Consequences:Gain Access
References:Source: CCN
Type: tortoisegit GIT Repository
Release 1.8.5.0

Source: MITRE
Type: CNA
CVE-2013-4207

Source: SUSE
Type: UNKNOWN
openSUSE-SU-2013:1347

Source: CCN
Type: oss-sec mailing list, Tue, 06 Aug 2013 17:45:13 -0600
Re: CVE request: three additional flaws fixed in putty 0.63

Source: SECUNIA
Type: Vendor Advisory
54379

Source: CCN
Type: SA54415
FileZilla Client PuTTY Multiple Vulnerabilities

Source: SECUNIA
Type: UNKNOWN
54533

Source: CCN
Type: SA54599
TortoiseGit PuTTY PLink Multiple Integer Overflow Vulnerabilities

Source: CCN
Type: PuTTY SVN Repository
Revision 9996

Source: CCN
Type: PuTTY Web Site
PuTTY Download Page

Source: CONFIRM
Type: Vendor Advisory
http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-bignum-division-by-zero.html

Source: DEBIAN
Type: UNKNOWN
DSA-2736

Source: DEBIAN
Type: DSA-2736
putty -- several vulnerabilities

Source: MLIST
Type: UNKNOWN
[oss-security] 20130806 CVE request: three additional flaws fixed in putty 0.63

Source: CCN
Type: BID-61649
PuTTY DSA Signature CVE-2013-4207 Remote Buffer Overflow Vulnerability

Source: XF
Type: UNKNOWN
putty-cve20134207-bo(86267)

Source: CCN
Type: FileZilla Web Site
FileZilla Client 3.7.3 released

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2013-4207

Vulnerable Configuration:Configuration 1:
  • cpe:/a:putty:putty:0.57:*:*:*:*:*:*:*
  • OR cpe:/a:putty:putty:0.56:*:*:*:*:*:*:*
  • OR cpe:/a:putty:putty:0.55:*:*:*:*:*:*:*
  • OR cpe:/a:putty:putty:0.54:*:*:*:*:*:*:*
  • OR cpe:/a:putty:putty:0.53b:*:*:*:*:*:*:*
  • OR cpe:/a:simon_tatham:putty:*:*:*:*:*:*:*:* (Version <= 0.62)
  • OR cpe:/a:putty:putty:0.49:*:*:*:*:*:*:*
  • OR cpe:/a:putty:putty:0.48:*:*:*:*:*:*:*
  • OR cpe:/a:putty:putty:0.47:*:*:*:*:*:*:*
  • OR cpe:/a:putty:putty:0.46:*:*:*:*:*:*:*
  • OR cpe:/a:putty:putty:0.60:*:*:*:*:*:*:*
  • OR cpe:/a:putty:putty:0.50:*:*:*:*:*:*:*
  • OR cpe:/a:putty:putty:0.51:*:*:*:*:*:*:*
  • OR cpe:/a:putty:putty:0.53:*:*:*:*:*:*:*
  • OR cpe:/a:putty:putty:0.52:*:*:*:*:*:*:*
  • OR cpe:/a:putty:putty:0.45:*:*:*:*:*:*:*
  • OR cpe:/a:putty:putty:0.58:*:*:*:*:*:*:*
  • OR cpe:/a:putty:putty:0.59:*:*:*:*:*:*:*
  • OR cpe:/a:putty:putty:0.61:*:*:*:*:*:*:*
  • OR cpe:/a:putty:putty:2010-06-01:r8967:*:*:development_snapshot:*:*:*

    • Configuration CCN 1:
  • cpe:/a:putty:putty:0.62:*:*:*:*:*:*:*
  • OR cpe:/a:filezilla-project:filezilla_client:3.7.2:*:*:*:*:*:*:*
  • OR cpe:/a:filezilla-project:filezilla_client:3.7.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:filezilla-project:filezilla_client:3.7.1:-:*:*:*:*:*:*
  • OR cpe:/a:filezilla-project:filezilla_client:3.7.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:filezilla-project:filezilla_client:3.7.0:-:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20134207
    V
    		CVE-2013-4207
    2022-06-30
    oval:org.opensuse.security:def:112227
    P
    		filezilla-3.23.0.2-1.1 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:105757
    P
    		filezilla-3.23.0.2-1.1 on GA media (Moderate)
    2021-10-01
    oval:org.mitre.oval:def:18299
    P
    		DSA-2736-1 putty - several
    2014-06-23
    oval:com.ubuntu.precise:def:20134207000
    V
    		CVE-2013-4207 on Ubuntu 12.04 LTS (precise) - medium.
    2013-08-19
    BACK
    putty putty 0.57
    putty putty 0.56
    putty putty 0.55
    putty putty 0.54
    putty putty 0.53b
    simon_tatham putty *
    putty putty 0.49
    putty putty 0.48
    putty putty 0.47
    putty putty 0.46
    putty putty 0.60
    putty putty 0.50
    putty putty 0.51
    simon_tatham putty 0.53
    putty putty 0.52
    putty putty 0.45
    putty putty 0.58
    putty putty 0.59
    putty putty 0.61
    putty putty 2010-06-01 r8967
    putty putty 0.62
    filezilla-project filezilla client 3.7.2
    filezilla-project filezilla client 3.7.1.1
    filezilla-project filezilla client 3.7.1 -
    filezilla-project filezilla client 3.7.0.1
    filezilla-project filezilla client 3.7.0 -