CVE-2017-2659 — Information Exposure via Error Message in SSH Project Dropbear SSH

CWE-209 — Information Exposure via Error Message CWE-287 — Improper Authentication6 documents5 sources

Severity

7.5HIGHNVD

EPSS

0.3%

top 48.97%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Dropbear SSH Project Dropbear SSH Debian Dropbear

Timeline

PublishedMar 21

Latest updateMay 13

Description

It was found that dropbear before version 2013.59 with GSSAPI leaks whether given username is valid or invalid. When an invalid username is given, the GSSAPI authentication failure was incorrectly counted towards the maximum allowed number of password attempts.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶debiandebian/dropbear< dropbear 2013.60-1 (bookworm)

▶NVDdropbear_ssh_project/dropbear_ssh< 2013.59

▶Debiandropbear_ssh_project/dropbear_ssh< 2013.60-1+3

Patches

Patch: bugzilla.redhat.com ↗Patch: secure.ucc.asn.au ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

GHSA

GHSA-m7fh-9pv8-fwc2: It was found that dropbear before version 2013↗2022-05-13

▶

OSV

CVE-2017-2659: It was found that dropbear before version 2013↗2019-03-21

▶

📋Vendor Advisories

Debian

CVE-2017-2659: dropbear - It was found that dropbear before version 2013.59 with GSSAPI leaks whether give...↗2017

▶

💬Community

Bugzilla

CVE-2017-7594 libtiff: Memory leak in OJPEGReadHeaderInfoSecTablesDcTable function↗2017-04-11

▶

Bugzilla

CVE-2017-2659 dropbear: Information leak when given invalid username↗2017-03-20

▶