CVE-2022-31124 HIGH

CVE-2022-31124: Possible leak of key's raw field if declared length is incorrect in openssh_key_parser

Vendor Scottcwang
Product openssh_key_parser
Weakness CWE-209 · Error message info leak
Published July 6, 2022
Last update April 22, 2025

CVSS base score

7.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

What the vulnerability does

01Description

openssh_key_parser is an open source Python package providing utilities to parse and pack OpenSSH private and public key files. In versions prior to 0.0.6 if a field of a key is shorter than it is declared to be, the parser raises an error with a message containing the raw field value. An attacker able to modify the declared length of a key's sensitive field can thus expose the raw value of that field. Users are advised to upgrade to version 0.0.6, which no longer includes the raw field value in the error message. There are no known workarounds for this issue.

Key dates

02Disclosure timeline

July 6, 2022 CVE published
April 22, 2025 Record updated