CVE-2003-0190

OpenSSH-portable (OpenSSH) 3.6.1p1 and earlier with PAM support enabled immediately sends an error message when a user does not exist, which allows remote attackers to determine valid usernames via a timing attack.

Published: May 12, 2003
Updated: Apr 13, 2023
CVE: CVE-2003-0190
Severity: Medium
Exploit:

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:P/I:N/A:N

CWEs:

CWE-203

Affected Software
References

Software	From	Fixed in
openbsd / openssh	-	3.6.1
openbsd / openssh	3.6.1-p1	3.6.1-p1.x
openpkg / openpkg	1.3	1.3.x
openpkg / openpkg	1.2	1.2.x
siemens / scalance_x204rna_ecc_firmware	-	3.2.7
siemens / scalance_x204rna_firmware	-	3.2.7

http://lab.mediaservice.net/advisory/2003-01-openssh.txt
http://lists.grok.org.uk/pipermail/full-disclosure/2003-April/004815.html
http://marc.info/?l=bugtraq&m=105172058404810&w=2
http://marc.info/?l=bugtraq&m=106018677302607&w=2
http://www.redhat.com/support/errata/RHSA-2003-222.html
http://www.redhat.com/support/errata/RHSA-2003-224.html
http://www.securityfocus.com/bid/7467
http://www.turbolinux.com/security/TLSA-2003-31.txt
https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A445

Vulnerability Database

289,599

CVE-2003-0190