CVE-2007-2243 — Improper Authentication in Openssh

CWE-287 — Improper Authentication7 documents6 sources

Severity

5.0MEDIUMNVD

EPSS

0.3%

top 50.21%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openbsd Openssh

Timeline

PublishedApr 25

Latest updateMay 1

Description

OpenSSH 4.6 and earlier, when ChallengeResponseAuthentication is enabled, allows remote attackers to determine the existence of user accounts by attempting to authenticate via S/KEY, which displays a different response if the user account exists, a similar issue to CVE-2001-1483.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages1 packages

▶NVDopenbsd/openssh62 versions+61

🔴Vulnerability Details

GHSA

GHSA-p5mx-m79g-73hx: OpenSSH 4↗2022-05-01

▶

OSV

CVE-2007-2243: OpenSSH 4↗2007-04-25

▶

CVEList

CVE-2007-2243: OpenSSH 4↗2007-04-25

▶

📋Vendor Advisories

Debian

CVE-2007-2243: openssh - OpenSSH 4.6 and earlier, when ChallengeResponseAuthentication is enabled, allows...↗2007

▶

Red Hat

CVE-2007-2243: OpenSSH 4↗

▶

Red Hat

CVE-2007-2768: OpenSSH, when using OPIE (One-Time Passwords in Everything) for PAM, allows remote attackers to determine the existence of certain user accounts, whic↗

▶