Published: 08/04/2009 Updated: 13/05/2009

CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10

VMScore: 445

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

pam_ssh 1.92 and possibly other versions, as used when PAM is compiled with USE=ssh, generates different error messages depending on whether the username is valid or invalid, which makes it easier for remote malicious users to enumerate usernames.

Vulnerable Product	Search on Vulmon	Subscribe to Product
andrew j.korty pam ssh 1.92

Debian Bug report logs - #535877 CVE-2009-1273: user enumeration issue in libpam-ssh Package: libpam-ssh; Maintainer for libpam-ssh is Jerome Benoit <calculus@rezozernet>; Source for libpam-ssh is src:libpam-ssh (PTS, buildd, popcon) Reported by: Florian Weimer <fw@denebenyode> Date: Sun, 5 Jul 2009 18:36:01 UTC ...

CWE-255 http://bugs.gentoo.org/show_bug.cgi?id=263579 http://secunia.com/advisories/34536 http://secunia.com/advisories/34986 https://www.redhat.com/archives/fedora-package-announce/2009-May/msg00116.html https://www.redhat.com/archives/fedora-package-announce/2009-May/msg00145.html https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=535877 https://nvd.nist.gov

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2009-1273

Vulnerability Summary

Vendor Advisories

References

Vulmon Search

About

Products

Connect