OpenSSH-portable (OpenSSH) 3.6.1p1 and earlier with PAM support enabled immediately sends an error message when a user does not exist, which allows remote attackers to determine valid usernames via a timing attack.
Published 2003-05-12 04:00:00
Updated 2024-02-15 18:46:16
Source MITRE
View at NVD,   CVE.org

Threat overview for CVE-2003-0190

Top countries where our scanners detected CVE-2003-0190
Top open port discovered on systems with this issue 22
IPs affected by CVE-2003-0190 1,111
Threat actors abusing to this issue? Yes
Find out if you* are affected by CVE-2003-0190!
*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2003-0190

Probability of exploitation activity in the next 30 days: 6.45%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 93 % EPSS Score History EPSS FAQ

Metasploit modules for CVE-2003-0190

  • SSH Username Enumeration
    First seen: 2020-04-26
    auxiliary/scanner/ssh/ssh_enumusers
    This module uses a malformed packet or timing attack to enumerate users on an OpenSSH server. The default action sends a malformed (corrupted) SSH_MSG_USERAUTH_REQUEST packet using public key authentication (must be enabled) to enumerate users. On

CVSS scores for CVE-2003-0190

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source
5.0
MEDIUM AV:N/AC:L/Au:N/C:P/I:N/A:N
10.0
2.9
NIST

CWE ids for CVE-2003-0190

  • The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.
    Assigned by: nvd@nist.gov (Primary)

References for CVE-2003-0190

Products affected by CVE-2003-0190

This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!