Vulnerability in N/a
CVE-2003-0190
OpenSSH-portable (OpenSSH) 3.6.1p1 and earlier with PAM support enabled immediately sends an error message when a user does not exist, which allows remote attackers to determine valid usernames via a timing attack.
EPSS: 0.768 (99.5th percentile) — read the EPSS interpretation.
Affected products
- N/a — versions n/a
Public proof-of-concept exploits
References
- RHSA-2003:222 (vendor-advisory)
- 20030430 OpenSSH/PAM timing attack allows remote users identification (mailing-list)
- 7467 (vdb-entry)
- 20030806 [OpenPKG-SA-2003.035] OpenPKG Security Advisory (openssh) (mailing-list)
- RHSA-2003:224 (vendor-advisory)
- oval:org.mitre.oval:def:445 (signature, vdb-entry)
- lab.mediaservice.net/advisory/2003-01-openssh.txt
- TLSA-2003-31 (vendor-advisory)
- 20030430 OpenSSH/PAM timing attack allows remote users identification (mailing-list)
- cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf
Frequently asked questions
- What is CVE-2003-0190?
- CVE-2003-0190 is a vulnerability in N/a. Published 2003-05-02.
- Is CVE-2003-0190 known to be exploited?
- 11 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.