A flaw was found in the implementation of
transport.py in Paramiko, which did not properly check whether authentication was completed before processing other requests. A customized SSH client could simply skip the authentication step.
This flaw is a user authentication bypass in the SSH Server functionality of Paramiko. Where Paramiko is used only for its client-side functionality (e.g.
paramiko.SSHClient), the vulnerability is not exposed and thus cannot be exploited.
Please login to add feedback.