CVE-2007-2243
published 2007-04-25CVE-2007-2243: OpenSSH 4.6 and earlier, when ChallengeResponseAuthentication is enabled, allows remote attackers to determine the existence of user accounts by attempting to…
PriorityP420medium5CVSS 2.0
AVNACLAuNCPINAN
EPSS
2.47%
82.5th percentile
OpenSSH 4.6 and earlier, when ChallengeResponseAuthentication is enabled, allows remote attackers to determine the existence of user accounts by attempting to authenticate via S/KEY, which displays a different response if the user account exists, a similar issue to CVE-2001-1483.
Affected
63 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
| openbsd | openssh | — | — |
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv5.0MEDIUM
vendor_debian5.0LOW
vendor_redhat5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-p5mx-m79g-73hx: OpenSSH 4
ghsa_unreviewed·2022-05-01·CVSS 5.0
CVE-2007-2243 [MEDIUM] CWE-287 GHSA-p5mx-m79g-73hx: OpenSSH 4
OpenSSH 4.6 and earlier, when ChallengeResponseAuthentication is enabled, allows remote attackers to determine the existence of user accounts by attempting to authenticate via S/KEY, which displays a different response if the user account exists, a similar issue to CVE-2001-1483.
GHSA
GHSA-7c33-39g7-9rjm: OpenSSH, when using OPIE (One-Time Passwords in Everything) for PAM, allows remote attackers to determine the existence of certain user accounts, whic
ghsa_unreviewed·2022-05-01·CVSS 5.0
CVE-2007-2768 [MEDIUM] CWE-200 GHSA-7c33-39g7-9rjm: OpenSSH, when using OPIE (One-Time Passwords in Everything) for PAM, allows remote attackers to determine the existence of certain user accounts, whic
OpenSSH, when using OPIE (One-Time Passwords in Everything) for PAM, allows remote attackers to determine the existence of certain user accounts, which displays a different response if the user account exists and is configured to use one-time passwords (OTP), a similar issue to CVE-2007-2243.
OSV
CVE-2007-2768: OpenSSH, when using OPIE (One-Time Passwords in Everything) for PAM, allows remote attackers to determine the existence of certain user accounts, whic
osv·2007-05-21·CVSS 5.0
CVE-2007-2768 [MEDIUM] CVE-2007-2768: OpenSSH, when using OPIE (One-Time Passwords in Everything) for PAM, allows remote attackers to determine the existence of certain user accounts, whic
OpenSSH, when using OPIE (One-Time Passwords in Everything) for PAM, allows remote attackers to determine the existence of certain user accounts, which displays a different response if the user account exists and is configured to use one-time passwords (OTP), a similar issue to CVE-2007-2243.
OSV
CVE-2007-2243: OpenSSH 4
osv·2007-04-25·CVSS 5.0
CVE-2007-2243 [MEDIUM] CVE-2007-2243: OpenSSH 4
OpenSSH 4.6 and earlier, when ChallengeResponseAuthentication is enabled, allows remote attackers to determine the existence of user accounts by attempting to authenticate via S/KEY, which displays a different response if the user account exists, a similar issue to CVE-2001-1483.
Debian
CVE-2007-2768: openssh - OpenSSH, when using OPIE (One-Time Passwords in Everything) for PAM, allows remo...
vendor_debian·2007·CVSS 5.0
CVE-2007-2768 [MEDIUM] CVE-2007-2768: openssh - OpenSSH, when using OPIE (One-Time Passwords in Everything) for PAM, allows remo...
OpenSSH, when using OPIE (One-Time Passwords in Everything) for PAM, allows remote attackers to determine the existence of certain user accounts, which displays a different response if the user account exists and is configured to use one-time passwords (OTP), a similar issue to CVE-2007-2243.
Scope: local
bookworm: open
bullseye: open
forky: open
sid: open
trixie: open
Debian
CVE-2007-2243: openssh - OpenSSH 4.6 and earlier, when ChallengeResponseAuthentication is enabled, allows...
vendor_debian·2007·CVSS 5.0
CVE-2007-2243 [MEDIUM] CVE-2007-2243: openssh - OpenSSH 4.6 and earlier, when ChallengeResponseAuthentication is enabled, allows...
OpenSSH 4.6 and earlier, when ChallengeResponseAuthentication is enabled, allows remote attackers to determine the existence of user accounts by attempting to authenticate via S/KEY, which displays a different response if the user account exists, a similar issue to CVE-2001-1483.
Scope: local
bookworm: open
bullseye: open
forky: open
sid: open
trixie: open
Red Hat
CVE-2007-2768: OpenSSH, when using OPIE (One-Time Passwords in Everything) for PAM, allows remote attackers to determine the existence of certain user accounts, whic
vendor_redhat·CVSS 5.0
CVE-2007-2768 [MEDIUM] CVE-2007-2768: OpenSSH, when using OPIE (One-Time Passwords in Everything) for PAM, allows remote attackers to determine the existence of certain user accounts, whic
OpenSSH, when using OPIE (One-Time Passwords in Everything) for PAM, allows remote attackers to determine the existence of certain user accounts, which displays a different response if the user account exists and is configured to use one-time passwords (OTP), a similar issue to CVE-2007-2243.
Statement: Not vulnerable. OPIE for PAM is not shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5, 6, or 7.
Red Hat
CVE-2007-2243: OpenSSH 4
vendor_redhat·CVSS 5.0
CVE-2007-2243 [MEDIUM] CVE-2007-2243: OpenSSH 4
OpenSSH 4.6 and earlier, when ChallengeResponseAuthentication is enabled, allows remote attackers to determine the existence of user accounts by attempting to authenticate via S/KEY, which displays a different response if the user account exists, a similar issue to CVE-2001-1483.
Statement: Not vulnerable. The OpenSSH packages as shipped with Red Hat Enterprise Linux do not contain S/KEY support.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://lists.grok.org.uk/pipermail/full-disclosure/2007-April/053906.htmlhttp://lists.grok.org.uk/pipermail/full-disclosure/2007-April/053951.htmlhttp://securityreason.com/securityalert/2631http://www.osvdb.org/34600http://www.securityfocus.com/bid/23601https://exchange.xforce.ibmcloud.com/vulnerabilities/33794https://security.netapp.com/advisory/ntap-20191107-0003/http://lists.grok.org.uk/pipermail/full-disclosure/2007-April/053906.htmlhttp://lists.grok.org.uk/pipermail/full-disclosure/2007-April/053951.htmlhttp://securityreason.com/securityalert/2631http://www.osvdb.org/34600http://www.securityfocus.com/bid/23601https://exchange.xforce.ibmcloud.com/vulnerabilities/33794https://security.netapp.com/advisory/ntap-20191107-0003/
2007-04-25
Published