Upstream information
Description
OpenSSH 4.6 and earlier, when ChallengeResponseAuthentication is enabled, allows remote attackers to determine the existence of user accounts by attempting to authenticate via S/KEY, which displays a different response if the user account exists, a similar issue to CVE-2001-1483.SUSE information
Overall state of this security issue: Resolved
This issue is currently rated as having moderate severity.
| CVSS detail | National Vulnerability Database |
|---|---|
| Base Score | 5 |
| Vector | AV:N/AC:L/Au:N/C:P/I:N/A:N |
| Access Vector | Network |
| Access Complexity | Low |
| Authentication | None |
| Confidentiality Impact | Partial |
| Integrity Impact | None |
| Availability Impact | None |
Note from the SUSE Security Team
This issue does not affect openssh in SUSE Linux Enterprise 9 and SUSE Linux Enterprise 10, as no S/KEY support is built into our packages. SUSE Bugzilla entries: 620222 [RESOLVED / WONTFIX], 628772 [RESOLVED / INVALID] No SUSE Security Announcements cross referenced.SUSE Timeline for this CVE
CVE page created: Fri Jun 28 03:15:12 2013CVE page last modified: Mon Oct 6 18:14:56 2025