Описание
sshd in OpenSSH before 7.3, when SHA256 or SHA512 are used for user password hashing, uses BLOWFISH hashing on a static password when the username does not exist, which allows remote attackers to enumerate users by leveraging the timing difference between responses when a large password is provided.
| Релиз | Статус | Примечание |
|---|---|---|
| devel | not-affected | 1:7.3p1-1 |
| esm-infra-legacy/trusty | not-affected | 1:6.6p1-2ubuntu2.8 |
| esm-infra/xenial | not-affected | 1:7.2p2-4ubuntu2.1 |
| precise | released | 1:5.9p1-5ubuntu1.10 |
| precise/esm | not-affected | 1:5.9p1-5ubuntu1.10 |
| trusty | released | 1:6.6p1-2ubuntu2.8 |
| trusty/esm | not-affected | 1:6.6p1-2ubuntu2.8 |
| upstream | released | 1:7.2p2-6 |
| vivid/stable-phone-overlay | ignored | end of life |
| vivid/ubuntu-core | ignored | end of life |
Показывать по
4.3 Medium
CVSS2
5.9 Medium
CVSS3
Связанные уязвимости
sshd in OpenSSH before 7.3, when SHA256 or SHA512 are used for user password hashing, uses BLOWFISH hashing on a static password when the username does not exist, which allows remote attackers to enumerate users by leveraging the timing difference between responses when a large password is provided.
sshd in OpenSSH before 7.3, when SHA256 or SHA512 are used for user password hashing, uses BLOWFISH hashing on a static password when the username does not exist, which allows remote attackers to enumerate users by leveraging the timing difference between responses when a large password is provided.
sshd in OpenSSH before 7.3, when SHA256 or SHA512 are used for user pa ...
sshd in OpenSSH before 7.3, when SHA256 or SHA512 are used for user password hashing, uses BLOWFISH hashing on a static password when the username does not exist, which allows remote attackers to enumerate users by leveraging the timing difference between responses when a large password is provided.
4.3 Medium
CVSS2
5.9 Medium
CVSS3