CVE-2016-20012

2021-09-1500:00:00

ubuntu.com

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

0.006 Low

EPSS

Percentile

77.3%

JSON

DISPUTED OpenSSH through 8.7 allows remote attackers, who have a
suspicion that a certain combination of username and public key is known to
an SSH server, to test whether this suspicion is correct. This occurs
because a challenge is sent only when that combination could be valid for a
login session. NOTE: the vendor does not recognize user enumeration as a
vulnerability for this product.

Notes

Author	Note
seth-arnold	openssh-ssh1 is provided for compatibility with old devices that cannot be upgraded to modern protocols. Thus we may not provide security support for this package if doing so would prevent access to equipment. The upstream OpenSSH developers see this as an important security feature and do not intend to ‘fix’ it.
ccdm94	Reading through the comments in PR 270, which is now closed and has not been merged, it is possible to see that upstream does not plan on fixing this issue because it would introduce too many possible new problems.