CVE-2009-1273

pam_ssh 1.92 and possibly other versions, as used when PAM is compiled with USE=ssh, generates different error messages depending on whether the username is valid or invalid, which makes it easier for remote attackers to enumerate usernames.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:N/C:P/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 58%
Affected Products (NVD)
VendorProductVersion
andrew_j.kortypam_ssh
1.92
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libpam-ssh
bullseye
2.3+ds-2
fixed
etch
no-dsa
sid
2.3+ds-8
fixed
trixie
2.3+ds-8
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libpam-ssh
dapper
ignored
gutsy
ignored
hardy
ignored
intrepid
ignored
jaunty
ignored
karmic
ignored
lucid
not-affected
maverick
not-affected
natty
not-affected
oneiric
not-affected
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
pam_ssh
suse enterprise sap 12 SP5
2.0-1.40
fixed
suse enterprise server 12
2.0-1.40
fixed
suse enterprise server 12 SP1
2.0-1.40
fixed
suse enterprise server 12 SP2
2.0-1.40
fixed
suse enterprise server 12 SP3
2.0-1.40
fixed
suse enterprise server 12 SP4
2.0-1.40
fixed
suse enterprise server 12 SP5
2.0-1.40
fixed
pam_ssh-32bit
suse enterprise sap 12 SP5
2.0-1.40
fixed
suse enterprise server 12
2.0-1.40
fixed
suse enterprise server 12 SP1
2.0-1.40
fixed
suse enterprise server 12 SP2
2.0-1.40
fixed
suse enterprise server 12 SP3
2.0-1.40
fixed
suse enterprise server 12 SP4
2.0-1.40
fixed
suse enterprise server 12 SP5
2.0-1.40
fixed
Common Weakness Enumeration
References
http://bugs.gentoo.org/show_bug.cgi?id=263579
http://secunia.com/advisories/34536
http://secunia.com/advisories/34986
https://www.redhat.com/archives/fedora-package-announce/2009-May/msg00116.html
https://www.redhat.com/archives/fedora-package-announce/2009-May/msg00145.html
http://bugs.gentoo.org/show_bug.cgi?id=263579
http://secunia.com/advisories/34536
http://secunia.com/advisories/34986
https://www.redhat.com/archives/fedora-package-announce/2009-May/msg00116.html
https://www.redhat.com/archives/fedora-package-announce/2009-May/msg00145.html