CVE-2018-15919

Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or "oracle") as a vulnerability.'

Published : 2018-08-28 08:29 Updated : 2019-03-07 16:29

5.0
CVSS Score More info
Score 5.0 / 10
5.0
Vendor Product Version URI
Openbsd Openssh 5.9 cpe:/a:openbsd:openssh:5.9
Openbsd Openssh 5.9 cpe:/a:openbsd:openssh:5.9:p1
Openbsd Openssh 6.0 cpe:/a:openbsd:openssh:6.0
Openbsd Openssh 6.0 cpe:/a:openbsd:openssh:6.0:p1
Openbsd Openssh 6.1 cpe:/a:openbsd:openssh:6.1
Openbsd Openssh 6.1 cpe:/a:openbsd:openssh:6.1:p1
Openbsd Openssh 6.2 cpe:/a:openbsd:openssh:6.2
Openbsd Openssh 6.2 cpe:/a:openbsd:openssh:6.2:p1
Openbsd Openssh 6.2 cpe:/a:openbsd:openssh:6.2:p2
Openbsd Openssh 6.3 cpe:/a:openbsd:openssh:6.3
Openbsd Openssh 6.3 cpe:/a:openbsd:openssh:6.3:p1
Openbsd Openssh 6.4 cpe:/a:openbsd:openssh:6.4
Openbsd Openssh 6.4 cpe:/a:openbsd:openssh:6.4:p1
Openbsd Openssh 6.5 cpe:/a:openbsd:openssh:6.5
Openbsd Openssh 6.5 cpe:/a:openbsd:openssh:6.5:p1
Openbsd Openssh 6.6 cpe:/a:openbsd:openssh:6.6
Openbsd Openssh 6.6 cpe:/a:openbsd:openssh:6.6:p1
Openbsd Openssh 6.7 cpe:/a:openbsd:openssh:6.7
Openbsd Openssh 6.7 cpe:/a:openbsd:openssh:6.7:p1
Openbsd Openssh 6.8 cpe:/a:openbsd:openssh:6.8
Openbsd Openssh 6.8 cpe:/a:openbsd:openssh:6.8:p1
Openbsd Openssh 6.9 cpe:/a:openbsd:openssh:6.9
Openbsd Openssh 6.9 cpe:/a:openbsd:openssh:6.9:p1
Openbsd Openssh 7.0 cpe:/a:openbsd:openssh:7.0
Openbsd Openssh 7.0 cpe:/a:openbsd:openssh:7.0:p1
Openbsd Openssh 7.1 cpe:/a:openbsd:openssh:7.1
Openbsd Openssh 7.1 cpe:/a:openbsd:openssh:7.1:p1
Openbsd Openssh 7.1 cpe:/a:openbsd:openssh:7.1:p2
Openbsd Openssh 7.2 cpe:/a:openbsd:openssh:7.2:p2
Openbsd Openssh 7.3 cpe:/a:openbsd:openssh:7.3
Openbsd Openssh 7.3 cpe:/a:openbsd:openssh:7.3:p1
Openbsd Openssh 7.4 cpe:/a:openbsd:openssh:7.4
Openbsd Openssh 7.4 cpe:/a:openbsd:openssh:7.4:p1
Openbsd Openssh 7.5 cpe:/a:openbsd:openssh:7.5
Openbsd Openssh 7.5 cpe:/a:openbsd:openssh:7.5:p1
Openbsd Openssh 7.6 cpe:/a:openbsd:openssh:7.6:p1
Openbsd Openssh 7.7 cpe:/a:openbsd:openssh:7.7:p1
Netapp Cloud Backup - cpe:/a:netapp:cloud_backup:-
Netapp Data Ontap Edge - cpe:/a:netapp:data_ontap_edge:-
Netapp Ontap Select Deploy - cpe:/a:netapp:ontap_select_deploy:-
Netapp Steelstore - cpe:/a:netapp:steelstore:-
Openbsd Openssh 7.8 cpe:/a:openbsd:openssh:7.8:p1
Netapp Cn1610 Firmware - cpe:/o:netapp:cn1610_firmware:-
  1. Openbsd (1) Search CVE
    1. Openssh (20) Search CVE
      1. 5.9
      2. 6.0
      3. 6.1
      4. 6.2
      5. 6.3
      6. 6.4
      7. 6.5
      8. 6.6
      9. 6.7
      10. 6.8
      11. 6.9
      12. 7.0
      13. 7.1
      14. 7.2
      15. 7.3
      16. 7.4
      17. 7.5
      18. 7.6
      19. 7.7
      20. 7.8
  2. Netapp (5) Search CVE
    1. Cn1610 Firmware (1) Search CVE
      1. -
    2. Ontap Select Deploy (1) Search CVE
      1. -
    3. Steelstore (1) Search CVE
      1. -
    4. Data Ontap Edge (1) Search CVE
      1. -
    5. Cloud Backup (1) Search CVE
      1. -

CWE

ID Name Description Links
CWE-200 Information Exposure An information exposure is the intentional or unintentional disclosure of information to an actor that is not explicitly authorized to have access to that information. CVE

History of changes

Date Event
2019-03-07 16:29
2018-12-22 11:29
2018-11-07 16:04
2018-08-29 10:29
2018-08-28 08:29

New CVE