First published: Tue Aug 28 2018(Updated: )
Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or "oracle") as a vulnerability.'
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Openbsd Openssh | >=5.9<=7.8 | |
Netapp Cloud Backup | ||
Netapp Data Ontap Edge | ||
Netapp Ontap Select Deploy | ||
Netapp Steelstore | ||
Netapp Cn1610 Firmware | ||
Netapp Cn1610 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2018-15919 is a vulnerability in OpenSSH that allows remote attackers to detect the existence of users on a target system.
This vulnerability can be exploited by remote attackers to remotely observe the behavior of the auth-gss2.c file in OpenSSH.
OpenSSH versions 5.9 to 7.8 are affected by this vulnerability, as well as certain versions of Netapp Cloud Backup, Netapp Data ONTAP Edge, Netapp ONTAP Select Deploy, and Netapp Steelstore.
The severity of CVE-2018-15919 is medium with a CVSS score of 5.3.
To mitigate this vulnerability, update OpenSSH to a version that is not affected, or apply the necessary patches provided by the software vendor.