CVE-2020-14002
Publication date 29 June 2020
Last updated 26 August 2025
Ubuntu priority
Description
PuTTY 0.68 through 0.73 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client).
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| putty | 26.04 LTS resolute |
Not affected
|
| 25.10 questing |
Not affected
|
|
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| 18.04 LTS bionic |
Needs evaluation
|
|
| 16.04 LTS xenial | Ignored end of standard support, was needs-triage | |
| 14.04 LTS trusty | Not in release |
Severity score breakdown
CVSS version: CVSS v3.0
Base score
5.9 · Medium
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
References
Other references
- https://lists.tartarus.org/pipermail/putty-announce/
- https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html
- https://www.fzi.de/en/news/news/detail-en/artikel/fsa-2020-2-ausnutzung-eines-informationslecks-fuer-gezielte-mitm-angriffe-auf-ssh-clients/
- https://www.cve.org/CVERecord?id=CVE-2020-14002