CVE-2017-2659

EUVD-2017-11807
It was found that dropbear before version 2013.59 with GSSAPI leaks whether given username is valid or invalid. When an invalid username is given, the GSSAPI authentication failure was incorrectly counted towards the maximum allowed number of password attempts.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
redhatCNA
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 50%
Affected Products (NVD)
VendorProductVersion
dropbear_ssh_projectdropbear_ssh
𝑥
< 2013.59
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
dropbear
bookworm
2022.83-1+deb12u2
fixed
bullseye
2020.81-3+deb11u2
fixed
sid
2024.86-1
fixed
trixie
2024.86-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
dropbear
bionic
not-affected
cosmic
not-affected
trusty
dne
xenial
not-affected
Common Weakness Enumeration
References
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2659
https://secure.ucc.asn.au/hg/dropbear/rev/d7784616409a#l1.86
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2659
https://secure.ucc.asn.au/hg/dropbear/rev/d7784616409a#l1.86