CVE-2009-1273 - pam_ssh 1.92 and possibly other versions, as used when PAM is compiled with USE=ssh, generates diffe

CVE-2009-1273

Summary

pam_ssh 1.92 and possibly other versions, as used when PAM is compiled with USE=ssh, generates different error messages depending on whether the username is valid or invalid, which makes it easier for remote attackers to enumerate usernames.

References

http://bugs.gentoo.org/show_bug.cgi?id=263579
http://secunia.com/advisories/34536
http://secunia.com/advisories/34986
https://www.redhat.com/archives/fedora-package-announce/2009-May/msg00116.html
https://www.redhat.com/archives/fedora-package-announce/2009-May/msg00145.html

Vulnerable Configurations

cpe:2.3:a:andrew_j.korty:pam_ssh:1.92:*:*:*:*:*:*:*
cpe:2.3:a:andrew_j.korty:pam_ssh:1.92:*:*:*:*:*:*:*

CVSS

Base:	5.0 (as of 13-05-2009 - 05:27)
Impact:
Exploitability:

CWE

CWE-255

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	NONE	NONE

cvss-vector via4

AV:N/AC:L/Au:N/C:P/I:N/A:N

refmap via4

confirm	http://bugs.gentoo.org/show_bug.cgi?id=263579
fedora	FEDORA-2009-3500 FEDORA-2009-3627
secunia	34536 34986

Last major update

13-05-2009 - 05:27

Published

08-04-2009 - 18:30

Last modified

13-05-2009 - 05:27