Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2003-0190Observable Discrepancy in Openssh

CWE-203Observable Discrepancy16 documents9 sources
Severity
5.0MEDIUMNVD
EPSS
22.6%
top 4.13%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
4
Openbsd OpensshSiemens Scalance X204rna ECC FirmwareSiemens Scalance X204rna Firmware+1 more
Timeline
PublishedMay 12
Latest updateApr 29

Description

OpenSSH-portable (OpenSSH) 3.6.1p1 and earlier with PAM support enabled immediately sends an error message when a user does not exist, which allows remote attackers to determine valid usernames via a timing attack.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages5 packages

NVDopenbsd/openssh< 3.6.1+1
Debianopenbsd/openssh< 1:3.8.1p1-8.sarge.4+3
NVDopenpkg/openpkg1.2, 1.3+1

Patches

Patch: www.securityfocus.comPatch: www.securityfocus.com

🔴Vulnerability Details

3
GHSA
GHSA-32j7-fc74-pjwq: OpenSSH-portable (OpenSSH) 32022-04-29
OSV
CVE-2003-0190: OpenSSH-portable (OpenSSH) 32003-05-12
CVEList
CVE-2003-0190: OpenSSH-portable (OpenSSH) 32003-05-02

💥Exploits & PoCs

3
Exploit-DB
Portable OpenSSH 3.6.1p-PAM/4.1-SuSE - Timing Attack2007-02-13
Exploit-DB
OpenSSH/PAM 3.6.1p1 - 'gossh.sh' Remote Users Ident2003-05-02
Exploit-DB
OpenSSH/PAM 3.6.1p1 - Remote Users Discovery Tool2003-04-30

📋Vendor Advisories

5
Ubuntu
OpenSSH information leakage2004-11-30
Red Hat
openssh information disclosure2004-04-12
Red Hat
openssh information disclosure2003-05-01
Red Hat
security flaw2003-04-30
Debian
CVE-2003-0190: openssh - OpenSSH-portable (OpenSSH) 3.6.1p1 and earlier with PAM support enabled immediat...2003

💬Community

3
Bugzilla
CVE-2003-0190 security flaw2018-08-16
Bugzilla
CVE-2004-2760 openssh information disclosure2008-08-04
Bugzilla
CVE-2003-1562 openssh information disclosure2008-08-04
CVE-2003-0190 — Observable Discrepancy in Openssh | cvebase