CVE-2017-2659
7.5
HIGH
CVSS 3.1
EPSS 0.27%
Description
It was found that dropbear before version 2013.59 with GSSAPI leaks whether given username is valid or invalid. When an invalid username is given, the GSSAPI authentication failure was incorrectly counted towards the maximum allowed number of password attempts.
How to fix CVE-2017-2659
To remediate CVE-2017-2659, upgrade the affected package to a fixed version below.
- Debian/dropbear—upgrade to 2013.60-1 or later
Is CVE-2017-2659 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 2013.60-1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |