What is CVE-2019-9895?

CVE-2019-9895 is a critical-severity software vulnerability (Memory corruption) with a CVSS score of 9.8. In PuTTY versions before 0.71 on Unix, a remotely triggerable buffer overflow exists in any kind of server-to-client forwarding.

Is CVE-2019-9895 being actively exploited?

It is not currently in CISA's KEV catalog. Its EPSS exploitation probability is 3%.

What products does CVE-2019-9895 affect?

Tracked products affected include PuTTY, Fedora. Check the version you run to see whether it is affected.

How do I fix CVE-2019-9895?

Apply the vendor fix promptly. Upgrade affected products to a fixed version.

← All products

CVE-2019-9895

CRITICAL severity · CVSS 9.8 · Memory corruption

9.8CVSS CRITICAL

Summary

In PuTTY versions before 0.71 on Unix, a remotely triggerable buffer overflow exists in any kind of server-to-client forwarding.

Impact & exploitability

Attack vectorNetwork

Attack complexityLow

Privileges requiredNone

User interactionNone

Confidentiality impactHigh

Integrity impactHigh

Availability impactHigh

Exploit probability (EPSS)3%

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products we track (2)

PuTTY Fedora

Recommendation

Apply the vendor fix promptly. Open any affected product above for its exact safe version.

Additional information

NVD record
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00004.html
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00020.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36LWQ3NPFIV7DC7TC4KFPRYRH2OR7SZ2/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LDO3F267P347E6U2IILFCYW7JPTLCCES/
https://seclists.org/bugtraq/2019/Apr/6
https://security.netapp.com/advisory/ntap-20190404-0001/
https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.htmlAdvisory
https://www.debian.org/security/2019/dsa-4423