sshd in OpenSSH prior to 7.3, when SHA256 or SHA512 are used for user password hashing, uses BLOWFISH hashing on a static password when the username does not exist, which allows remote malicious users to enumerate users by leveraging the timing difference between responses when a large password is provided.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
openbsd openssh |