CVE-2018-15919
MEDIUMOpenSSH 5.9-7.8 - User Enumeration via GSS2 Authentication
Title source: llmDescription
Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or "oracle") as a vulnerability.'
References (3)
Core 3
Core References
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20181221-0001/
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/105163
Mailing List, Patch, Third Party Advisory x_refsource_misc
http://seclists.org/oss-sec/2018/q3/180
Scores
CVSS v3
5.3
EPSS
0.0207
EPSS Percentile
84.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-200
Status
published
Products (6)
netapp/cloud_backup
netapp/cn1610_firmware
netapp/data_ontap_edge
netapp/ontap_select_deploy
netapp/steelstore
openbsd/openssh
5.9 - 7.8
Published
Aug 28, 2018
Tracked Since
Feb 18, 2026