—

PYSEC-2022-166

Details

In Paramiko before 2.10.1, a race condition (between creation and chmod) in the write_private_key_file function could allow unauthorized information disclosure.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / paramiko

Introduced in: 0 Fixed in: 2.9.3

Fix pip install --upgrade 'paramiko>=2.9.3'

References

https://www.paramiko.org/changelog.html [WEB]
https://github.com/paramiko/paramiko/blob/363a28d94cada17f012c1604a3c99c71a2bda003/paramiko/pkey.py#L546 [WEB]
https://github.com/advisories/GHSA-f8q4-jwww-x3wv [ADVISORY]