Search for vulnerabilities
Vulnerability details: VCID-mdkv-a82q-mke5
Vulnerability ID VCID-mdkv-a82q-mke5
Aliases CVE-2008-0299
GHSA-wqmm-q65g-2hqr
PYSEC-2008-8
Summary common.py in Paramiko 1.7.1 and earlier, when using threads or forked processes, does not properly use RandomPool, which allows one session to obtain sensitive information from another session by predicting the state of the pool.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3.1 6.5 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=460706
generic_textual HIGH http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=460706
cvssv3.1 6.5 http://people.debian.org/~nion/nmu-diff/paramiko-1.6.4-1_1.6.4-1.1.patch
generic_textual HIGH http://people.debian.org/~nion/nmu-diff/paramiko-1.6.4-1_1.6.4-1.1.patch
epss 0.01232 https://api.first.org/data/v1/epss?cve=CVE-2008-0299
epss 0.01232 https://api.first.org/data/v1/epss?cve=CVE-2008-0299
epss 0.01232 https://api.first.org/data/v1/epss?cve=CVE-2008-0299
epss 0.01232 https://api.first.org/data/v1/epss?cve=CVE-2008-0299
epss 0.01232 https://api.first.org/data/v1/epss?cve=CVE-2008-0299
epss 0.01232 https://api.first.org/data/v1/epss?cve=CVE-2008-0299
epss 0.01232 https://api.first.org/data/v1/epss?cve=CVE-2008-0299
epss 0.01232 https://api.first.org/data/v1/epss?cve=CVE-2008-0299
epss 0.01232 https://api.first.org/data/v1/epss?cve=CVE-2008-0299
epss 0.01232 https://api.first.org/data/v1/epss?cve=CVE-2008-0299
epss 0.01232 https://api.first.org/data/v1/epss?cve=CVE-2008-0299
epss 0.01232 https://api.first.org/data/v1/epss?cve=CVE-2008-0299
epss 0.01232 https://api.first.org/data/v1/epss?cve=CVE-2008-0299
epss 0.01232 https://api.first.org/data/v1/epss?cve=CVE-2008-0299
epss 0.01232 https://api.first.org/data/v1/epss?cve=CVE-2008-0299
epss 0.01232 https://api.first.org/data/v1/epss?cve=CVE-2008-0299
epss 0.01232 https://api.first.org/data/v1/epss?cve=CVE-2008-0299
epss 0.01232 https://api.first.org/data/v1/epss?cve=CVE-2008-0299
epss 0.01232 https://api.first.org/data/v1/epss?cve=CVE-2008-0299
epss 0.01232 https://api.first.org/data/v1/epss?cve=CVE-2008-0299
epss 0.01232 https://api.first.org/data/v1/epss?cve=CVE-2008-0299
epss 0.01232 https://api.first.org/data/v1/epss?cve=CVE-2008-0299
epss 0.01232 https://api.first.org/data/v1/epss?cve=CVE-2008-0299
epss 0.01232 https://api.first.org/data/v1/epss?cve=CVE-2008-0299
epss 0.01232 https://api.first.org/data/v1/epss?cve=CVE-2008-0299
cvssv3.1 6.5 https://bugzilla.redhat.com/show_bug.cgi?id=428727
generic_textual HIGH https://bugzilla.redhat.com/show_bug.cgi?id=428727
cvssv3.1 6.5 http://security.gentoo.org/glsa/glsa-200803-07.xml
generic_textual HIGH http://security.gentoo.org/glsa/glsa-200803-07.xml
cvssv3.1 6.5 https://exchange.xforce.ibmcloud.com/vulnerabilities/39749
generic_textual HIGH https://exchange.xforce.ibmcloud.com/vulnerabilities/39749
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-wqmm-q65g-2hqr
cvssv3.1 6.5 https://github.com/paramiko/paramiko
generic_textual HIGH https://github.com/paramiko/paramiko
cvssv3.1 6.5 https://github.com/pypa/advisory-database/tree/main/vulns/paramiko/PYSEC-2008-8.yaml
generic_textual HIGH https://github.com/pypa/advisory-database/tree/main/vulns/paramiko/PYSEC-2008-8.yaml
cvssv3.1 6.5 https://nvd.nist.gov/vuln/detail/CVE-2008-0299
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2008-0299
cvssv3.1 6.5 https://web.archive.org/web/20080205095439/http://secunia.com/advisories/28488
generic_textual HIGH https://web.archive.org/web/20080205095439/http://secunia.com/advisories/28488
cvssv3.1 6.5 https://web.archive.org/web/20080627172450/http://secunia.com/advisories/28510
generic_textual HIGH https://web.archive.org/web/20080627172450/http://secunia.com/advisories/28510
cvssv3.1 6.5 https://web.archive.org/web/20080628232710/http://secunia.com/advisories/29168
generic_textual HIGH https://web.archive.org/web/20080628232710/http://secunia.com/advisories/29168
cvssv3.1 6.5 https://web.archive.org/web/20080720033315/http://www.lag.net/pipermail/paramiko/2008-January/000599.html
generic_textual HIGH https://web.archive.org/web/20080720033315/http://www.lag.net/pipermail/paramiko/2008-January/000599.html
cvssv3.1 6.5 https://web.archive.org/web/20081012023428/http://www.securityfocus.com/bid/27307
generic_textual HIGH https://web.archive.org/web/20081012023428/http://www.securityfocus.com/bid/27307
cvssv3.1 6.5 https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00529.html
generic_textual HIGH https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00529.html
cvssv3.1 6.5 https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00594.html
generic_textual HIGH https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00594.html
Reference id Reference type URL
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=460706
http://people.debian.org/~nion/nmu-diff/paramiko-1.6.4-1_1.6.4-1.1.patch
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2008-0299.json
https://api.first.org/data/v1/epss?cve=CVE-2008-0299
https://bugzilla.redhat.com/show_bug.cgi?id=428727
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0299
http://secunia.com/advisories/28488
http://secunia.com/advisories/28510
http://secunia.com/advisories/29168
http://security.gentoo.org/glsa/glsa-200803-07.xml
https://exchange.xforce.ibmcloud.com/vulnerabilities/39749
https://github.com/paramiko/paramiko
https://github.com/pypa/advisory-database/tree/main/vulns/paramiko/PYSEC-2008-8.yaml
https://nvd.nist.gov/vuln/detail/CVE-2008-0299
https://web.archive.org/web/20080205095439/http://secunia.com/advisories/28488
https://web.archive.org/web/20080627172450/http://secunia.com/advisories/28510
https://web.archive.org/web/20080628232710/http://secunia.com/advisories/29168
https://web.archive.org/web/20080720033315/http://www.lag.net/pipermail/paramiko/2008-January/000599.html
https://web.archive.org/web/20081012023428/http://www.securityfocus.com/bid/27307
https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00529.html
https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00594.html
http://www.lag.net/pipermail/paramiko/2008-January/000599.html
http://www.securityfocus.com/bid/27307
460706 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=460706
GHSA-wqmm-q65g-2hqr https://github.com/advisories/GHSA-wqmm-q65g-2hqr
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=460706
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at http://people.debian.org/~nion/nmu-diff/paramiko-1.6.4-1_1.6.4-1.1.patch
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://bugzilla.redhat.com/show_bug.cgi?id=428727
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at http://security.gentoo.org/glsa/glsa-200803-07.xml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://exchange.xforce.ibmcloud.com/vulnerabilities/39749
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/paramiko/paramiko
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/pypa/advisory-database/tree/main/vulns/paramiko/PYSEC-2008-8.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2008-0299
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://web.archive.org/web/20080205095439/http://secunia.com/advisories/28488
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://web.archive.org/web/20080627172450/http://secunia.com/advisories/28510
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://web.archive.org/web/20080628232710/http://secunia.com/advisories/29168
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://web.archive.org/web/20080720033315/http://www.lag.net/pipermail/paramiko/2008-January/000599.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://web.archive.org/web/20081012023428/http://www.securityfocus.com/bid/27307
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00529.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00594.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.7834
EPSS Score 0.01232
Published At Aug. 9, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T08:04:31.812039+00:00 Pypa Importer Import https://github.com/pypa/advisory-database/blob/main/vulns/paramiko/PYSEC-2008-8.yaml 37.0.0