First published: Wed Sep 15 2021(Updated: )
** DISPUTED ** OpenSSH through 8.7 allows remote attackers, who have a suspicion that a certain combination of username and public key is known to an SSH server, to test whether this suspicion is correct. This occurs because a challenge is sent only when that combination could be valid for a login session. NOTE: the vendor does not recognize user enumeration as a vulnerability for this product.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
OpenSSH | <=8.7 | |
IBM Data ONTAP | ||
NetApp SolidFire & HCI Management Node | ||
NetApp ONTAP Select Deploy | ||
NetApp SolidFire & HCI Storage Node |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID is CVE-2016-20012.
The severity rating of CVE-2016-20012 is medium with a score of 5.3.
This vulnerability allows remote attackers to test the validity of a certain combination of username and public key in an SSH server.
OpenSSH up to version 8.7 is affected by CVE-2016-20012.
Yes, the fix for this vulnerability can be found in the OpenSSH source code.