CVE-2018-15473 - User enumeration vulnerability
Bug #1794629 reported by
Alex Tomkins
This bug affects 4 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openssh (Ubuntu) |
Fix Released
|
Low
|
Leonidas S. Barbosa | ||
Trusty |
Fix Released
|
Undecided
|
Leonidas S. Barbosa | ||
Xenial |
Fix Released
|
Undecided
|
Leonidas S. Barbosa | ||
Bionic |
Fix Released
|
Undecided
|
Leonidas S. Barbosa | ||
Cosmic |
Fix Released
|
Undecided
|
Leonidas S. Barbosa |
Bug Description
https:/
OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.
Fixed in Debian: https:/
Currently pending triage? https:/
CVE References
information type: | Private Security → Public |
information type: | Public → Public Security |
Changed in openssh (Ubuntu): | |
importance: | Undecided → Low |
Changed in openssh (Ubuntu Trusty): | |
assignee: | nobody → Leonidas S. Barbosa (leosilvab) |
Changed in openssh (Ubuntu Xenial): | |
assignee: | nobody → Leonidas S. Barbosa (leosilvab) |
Changed in openssh (Ubuntu Bionic): | |
assignee: | nobody → Leonidas S. Barbosa (leosilvab) |
Changed in openssh (Ubuntu Cosmic): | |
assignee: | nobody → Leonidas S. Barbosa (leosilvab) |
Changed in openssh (Ubuntu): | |
assignee: | nobody → Leonidas S. Barbosa (leosilvab) |
Changed in openssh (Ubuntu Trusty): | |
status: | New → In Progress |
Changed in openssh (Ubuntu Xenial): | |
status: | New → In Progress |
Changed in openssh (Ubuntu Bionic): | |
status: | New → In Progress |
Changed in openssh (Ubuntu Cosmic): | |
status: | New → In Progress |
Changed in openssh (Ubuntu): | |
status: | Confirmed → In Progress |
Changed in openssh (Ubuntu Cosmic): | |
status: | In Progress → Fix Released |
Changed in openssh (Ubuntu): | |
status: | In Progress → Fix Released |
To post a comment you must log in.
FYI, Qualys is now considering CVE-2018-15473 a PCI-DSS fail condition (QID: 38726).