CVE-2017-2659
published 2019-03-21CVE-2017-2659: It was found that dropbear before version 2013.59 with GSSAPI leaks whether given username is valid or invalid. When an invalid username is given, the GSSAPI…
PriorityP339high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EPSS
1.50%
71.2th percentile
It was found that dropbear before version 2013.59 with GSSAPI leaks whether given username is valid or invalid. When an invalid username is given, the GSSAPI authentication failure was incorrectly counted towards the maximum allowed number of password attempts.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | dropbear | < dropbear 2013.60-1 (bookworm) | dropbear 2013.60-1 (bookworm) |
| dropbear_ssh_project | dropbear_ssh | < 2013.59 | 2013.59 |
| dropbear_ssh_project | dropbear_ssh | >= 0 < 2013.60-1 | 2013.60-1 |
| dropbear_ssh_project | dropbear_ssh | >= 0 < 2013.60-1 | 2013.60-1 |
| dropbear_ssh_project | dropbear_ssh | >= 0 < 2013.60-1 | 2013.60-1 |
| dropbear_ssh_project | dropbear_ssh | >= 0 < 2013.60-1 | 2013.60-1 |
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv7.5HIGH
vendor_debian5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2017-2659: dropbear - It was found that dropbear before version 2013.59 with GSSAPI leaks whether give...
vendor_debian·2017·CVSS 5.3
CVE-2017-2659 [MEDIUM] CVE-2017-2659: dropbear - It was found that dropbear before version 2013.59 with GSSAPI leaks whether give...
It was found that dropbear before version 2013.59 with GSSAPI leaks whether given username is valid or invalid. When an invalid username is given, the GSSAPI authentication failure was incorrectly counted towards the maximum allowed number of password attempts.
Scope: local
bookworm: resolved (fixed in 2013.60-1)
bullseye: resolved (fixed in 2013.60-1)
forky: resolved (fixed in 2013.60-1)
sid: resolved (fixed in 2013.60-1)
trixie: resolved (fixed in 2013.60-1)
GHSA
GHSA-m7fh-9pv8-fwc2: It was found that dropbear before version 2013
ghsa_unreviewed·2022-05-13
CVE-2017-2659 [HIGH] CWE-287 GHSA-m7fh-9pv8-fwc2: It was found that dropbear before version 2013
It was found that dropbear before version 2013.59 with GSSAPI leaks whether given username is valid or invalid. When an invalid username is given, the GSSAPI authentication failure was incorrectly counted towards the maximum allowed number of password attempts.
OSV
CVE-2017-2659: It was found that dropbear before version 2013
osv·2019-03-21·CVSS 7.5
CVE-2017-2659 [HIGH] CVE-2017-2659: It was found that dropbear before version 2013
It was found that dropbear before version 2013.59 with GSSAPI leaks whether given username is valid or invalid. When an invalid username is given, the GSSAPI authentication failure was incorrectly counted towards the maximum allowed number of password attempts.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2017-7594 libtiff: Memory leak in OJPEGReadHeaderInfoSecTablesDcTable function
bugzilla·2017-04-11·CVSS 5.5
CVE-2017-7594 [MEDIUM] CVE-2017-7594 libtiff: Memory leak in OJPEGReadHeaderInfoSecTablesDcTable function
CVE-2017-7594 libtiff: Memory leak in OJPEGReadHeaderInfoSecTablesDcTable function
The OJPEGReadHeaderInfoSecTablesDcTable function in tif_ojpeg.c in LibTIFF allows attackers to cause a denial of service (memory leak) via a crafted image.
Upstream bug:
http://bugzilla.maptools.org/show_bug.cgi?id=2659
Upstream patches:
https://github.com/vadz/libtiff/commit/2ea32f7372b65c24b2816f11c04bf59b5090d05b
https://github.com/vadz/libtiff/commit/8283e4d1b7e53340684d12932880cbcbaf23a8c1
Discussion:
Created mingw-libtiff tracking bugs for this issue:
Affects: fedora-all [bug 1438465]
---
Created mingw-libtiff tracking bugs for this issue:
Affects: epel-7 [bug 1438466]
---
Created libtiff tracking bugs for this issue:
Affects: fedora-all [bug 1441273]
Bugzilla
CVE-2017-2659 dropbear: Information leak when given invalid username
bugzilla·2017-03-20·CVSS 5.3
CVE-2017-2659 [MEDIUM] CVE-2017-2659 dropbear: Information leak when given invalid username
CVE-2017-2659 dropbear: Information leak when given invalid username
It was found that dropbear with GSSAPI leaks whether given username is valid or invalid. When an invalid username is given, the GSSAPI authentication failure was incorrectly counted towards the maximum allowed number of password attempts.
This was fixed in dropbear-2013.59, as part of the following patch:
https://secure.ucc.asn.au/hg/dropbear/rev/d7784616409a#l1.86
Discussion:
Acknowledgments:
Name: Gilford Martino (Bae Systems), Scott McKee (Bae Systems)
---
External References:
https://secure.ucc.asn.au/hg/dropbear/rev/d7784616409a#l1.86
2019-03-21
Published