CVE-2003-0190

Description

OpenSSH-portable (OpenSSH) 3.6.1p1 and earlier with PAM support enabled immediately sends an error message when a user does not exist, which allows remote attackers to determine valid usernames via a timing attack.

How to fix CVE-2003-0190

To remediate CVE-2003-0190, upgrade the affected package to a fixed version below.

• Debian/openssh—upgrade to 1:3.8.1p1-8.sarge.4 or later

Is CVE-2003-0190 being exploited?

Moderate — EPSS is 20.6%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

• from 0, < 1:3.8.1p1-8.sarge.4

References (1)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2003-0190