Upstream information
Description
OpenSSH, when using OPIE (One-Time Passwords in Everything) for PAM, allows remote attackers to determine the existence of certain user accounts, which displays a different response if the user account exists and is configured to use one-time passwords (OTP), a similar issue to CVE-2007-2243.SUSE information
Overall state of this security issue: Resolved
This issue is currently rated as having moderate severity.
| National Vulnerability Database | |
|---|---|
| Base Score | 4.3 |
| Vector | AV:N/AC:M/Au:N/C:P/I:N/A:N |
| Access Vector | Network |
| Access Complexity | Medium |
| Authentication | None |
| Confidentiality Impact | Partial |
| Integrity Impact | None |
| Availability Impact | None |
Note from the SUSE Security Team
Due to the nature of OTP authentification, hiding existence of users is not possible. So we will not fix this issue. SUSE Bugzilla entry: 628772 [RESOLVED / INVALID] No SUSE Security Announcements cross referenced.SUSE Timeline for this CVE
CVE page created: Fri Jun 28 03:43:36 2013CVE page last modified: Fri Oct 7 12:45:36 2022