Vulnerability Details CVE-2009-1273
pam_ssh 1.92 and possibly other versions, as used when PAM is compiled with USE=ssh, generates different error messages depending on whether the username is valid or invalid, which makes it easier for remote attackers to enumerate usernames.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.004
EPSS Ranking 57.3%
CVSS Severity
CVSS v2 Score 5.0
References
- http://bugs.gentoo.org/show_bug.cgi?id=263579
- http://secunia.com/advisories/34536
- http://secunia.com/advisories/34986
- https://www.redhat.com/archives/fedora-package-announce/2009-May/msg00116.html
- https://www.redhat.com/archives/fedora-package-announce/2009-May/msg00145.html
- http://bugs.gentoo.org/show_bug.cgi?id=263579
- http://secunia.com/advisories/34536
- http://secunia.com/advisories/34986
- https://www.redhat.com/archives/fedora-package-announce/2009-May/msg00116.html
- https://www.redhat.com/archives/fedora-package-announce/2009-May/msg00145.html
Products affected by CVE-2009-1273
-
cpe:2.3:a:andrew_j.korty:pam_ssh:1.92