CVE-2017-2659
MEDIUMdropbear_ssh < 2013.59 - Improper Authentication via GSSAPI Username Validation
Title source: llmDescription
It was found that dropbear before version 2013.59 with GSSAPI leaks whether given username is valid or invalid. When an invalid username is given, the GSSAPI authentication failure was incorrectly counted towards the maximum allowed number of password attempts.
References (2)
Core 2
Core References
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2659
Patch, Third Party Advisory x_refsource_misc
https://secure.ucc.asn.au/hg/dropbear/rev/d7784616409a#l1.86
Scores
CVSS v3
5.3
EPSS
0.0150
EPSS Percentile
71.0%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-287
CWE-209
Status
published
Products (1)
dropbear_ssh_project/dropbear_ssh
< 2013.59
Published
Mar 21, 2019
Tracked Since
Feb 18, 2026