
DescriptionPuTTY 0.59 and earlier uses weak file permissions for (1) ppk files containing private keys generated by puttygen and (2) session logs created by putty, which allows local users to gain sensitive information by reading these files.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs400804

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
putty (PTS)buster0.70-6fixed
buster (security)0.74-1+deb11u1~deb10u1fixed
bullseye (security), bullseye0.74-1+deb11u1fixed
bookworm, bookworm (security)0.78-2+deb12u1fixed
sid, trixie0.81-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs


Unsafe default, but not a vulnerability
Sensitive operations like key generation should only be done in private home

