CVE-2007-2243
OpenSSH <= 4.6 - User Enumeration via S/KEY ChallengeResponseAuthentication
Title source: llmDescription
OpenSSH 4.6 and earlier, when ChallengeResponseAuthentication is enabled, allows remote attackers to determine the existence of user accounts by attempting to authenticate via S/KEY, which displays a different response if the user account exists, a similar issue to CVE-2001-1483.
References (7)
Core 7
Core References
Mailing List mailing-list
x_refsource_fulldisc
http://lists.grok.org.uk/pipermail/full-disclosure/2007-April/053906.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/23601
Third Party Advisory third-party-advisory
x_refsource_sreason
http://securityreason.com/securityalert/2631
Third Party Advisory, VDB Entry vdb-entry
x_refsource_osvdb
http://www.osvdb.org/34600
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/33794
Mailing List mailing-list
x_refsource_fulldisc
http://lists.grok.org.uk/pipermail/full-disclosure/2007-April/053951.html
Vendor Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20191107-0003/
Scores
EPSS
0.0044
EPSS Percentile
63.4%
Details
CWE
CWE-287
Status
published
Products (50)
openbsd/openssh
1.2
openbsd/openssh
1.2.1
openbsd/openssh
1.2.2
openbsd/openssh
1.2.3
openbsd/openssh
1.2.27
openbsd/openssh
2.1
openbsd/openssh
2.1.1
openbsd/openssh
2.2
openbsd/openssh
2.3
openbsd/openssh
2.5
... and 40 more
Published
Apr 25, 2007
Tracked Since
Feb 18, 2026