141 matches found
OpenSSH sshd Username Information Disclosure (CVE-2018-15473)
An information disclosure vulnerability exists in OpenSSH. The vulnerability is due to the different ways in which the sshd daemon responds to crafted SSH packets. A successful attack can result in the attacker being able to determine whether a user exists on the system...
SUSE SLED15 / SLES15 Security Update : openssh (SUSE-SU-2018:3686-1)
This update for openssh fixes the following issues : CVE-2018-15919: Remotely observable behaviour in auth-gss2.c in OpenSSH could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. OpenSSH developers do not want to treat such a username enumeration o...
openSUSE: Security Advisory for openssh (openSUSE-SU-2018:3946-1)
The remote host is missing an update for the Copyright C 2018 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...
SUSE-SU-2018:3910-1 Security update for openssh
This update for openssh fixes the following issues: Following security issues have been fixed: - CVE-2018-15473: OpenSSH was prone to a user existance oracle vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully...
openSUSE: Security Advisory for openssh (openSUSE-SU-2018:3801-1)
The remote host is missing an update for the Copyright C 2018 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...
SUSE-SU-2018:3776-1 Security update for openssh
This update for openssh fixes the following issues: Following security issues have been fixed: - CVE-2018-15919: Remotely observable behaviour in auth-gss2.c in OpenSSH could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. OpenSSH developers do not...
SUSE-SU-2018:3768-1 Security update for openssh-openssl1
This update for openssh-openssl1 fixes the following issues: Security issues fixed: - CVE-2018-15919: Remotely observable behaviour in auth-gss2.c in OpenSSH could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. OpenSSH developers do not want to...
Timing Attack
pac4j-sql is vulnerable to timing attack. The password encoding of an authentication request is performed after a user is found. This causes a delay and provides hint to an attacker if the user exists...
CVE-2018-15919
OpenSSH server was found to respond differently to failed GSSAPI authentication attempts when the target user existed versus when that user did not exist. A remote attacker could use this bug to test for the existence of particular usernames on a target system. Mitigation If GSSAPI Authentication...
Design/Logic Flaw
Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration or...
DEBIAN-CVE-2018-15919
Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration or...
CVE-2018-15919
Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states ‘We understand that the OpenSSH developers do not want to treat such a username enumeration or...
CVE-2018-2448
Under certain conditions SAP SRM-MDM CATALOG versions 3.0, 7.01, 7.02 utilities functionality allows an attacker to access information of user existence which would otherwise be restricted...
Nextcloud: Login Hints on Admin Panel
Hi, Hope you are doing fine. I wanted to inform you regarding the enabling of the login hints on your wp-admin panelhttps://nextcloud.com/wp-login.php. Vulnerability: The admin panel shows very "specific" hint information if a hacker tries for a bruteforcing attack. Steps to reproduce: 1. Navigat...
UBUNTU-CVE-2016-0762
The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note...
Username enumeration through the username parameter to the ViewUserHover resource.
It is possible to enumerate usernames through the secure/ViewUserHover resource through the username parameter. JIRA leaks the existence of a username by showing your entire name. 1. Log out of JIRA 2. Go to...
CVE-2014-2064
The loadUserByUsername function in hudson/security/HudsonPrivateSecurityRealm.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to determine whether a user exists via vectors related to failed login attempts...
CVE-2014-2064
The loadUserByUsername function in hudson/security/HudsonPrivateSecurityRealm.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to determine whether a user exists via vectors related to failed login attempts...
CVE-2014-2064
The loadUserByUsername function in hudson/security/HudsonPrivateSecurityRealm.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to determine whether a user exists via vectors related to failed login attempts...
CVE-2014-2064
CVE-2014-2064 affects Jenkins: the loadUserByUsername function in HudsonPrivateSecurityRealm.java (Jenkins before 1.551 and LTS before 1.532.2) allows remote attackers to determine whether a user exists via failed login attempts. Impact: information disclosure (user existence). CVSS v2 base score...