CVE-2020-14145Observable Discrepancy in Openssh

CWE-203Observable DiscrepancyCWE-200Sensitive Information Exposure9 documents8 sources
Severity
5.9MEDIUMNVD
EPSS
1.6%
top 18.48%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Openbsd OpensshNetapp Active IQ Unified Manager
Timeline
PublishedJun 29
Latest updateMay 24

Description

The client side in OpenSSH 5.7 through 8.4 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client). NOTE: some reports state that 8.5 and 8.6 are also affected.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages2 packages

NVDopenbsd/openssh5.78.4+3

Patches

Patch: www.openwall.comPatch: anongit.mindrot.orgPatch: github.com

🔴Vulnerability Details

3
GHSA
GHSA-96g2-7cqx-5ggh: The client side in OpenSSH 52022-05-24
OSV
CVE-2020-14145: The client side in OpenSSH 52020-06-29
CVEList
CVE-2020-14145: The client side in OpenSSH 52020-06-29

📋Vendor Advisories

3
Red Hat
openssh: Observable discrepancy leading to an information leak in the algorithm negotiation2020-06-29
Microsoft
The client side in OpenSSH 5.7 through 8.4 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connecti2020-06-09
Debian
CVE-2020-14145: openssh - The client side in OpenSSH 5.7 through 8.4 has an Observable Discrepancy leading...2020

💬Community

2
Bugzilla
CVE-2020-14145 openssh: Observable discrepancy leading to an information leak in the algorithm negotiation2020-07-01
Bugzilla
CVE-2020-14145 openssh: Observable Discrepancy leading to an information leak in the algorithm negotiation [fedora-all]2020-07-01
CVE-2020-14145 — Observable Discrepancy in Openssh | cvebase