CVE-2017-2659

It was found that dropbear before version 2013.59 with GSSAPI leaks whether given username is valid or invalid. When an invalid username is given, the GSSAPI authentication failure was incorrectly counted towards the maximum allowed number of password attempts.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
redhatCNA
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 44%
VendorProductVersion
dropbear_ssh_projectdropbear_ssh
𝑥
< 2013.59
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
dropbear
bullseye
2020.81-3+deb11u2
fixed
bookworm
2022.83-1+deb12u2
fixed
sid
2024.86-1
fixed
trixie
2024.86-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
dropbear
cosmic
not-affected
bionic
not-affected
xenial
not-affected
trusty
dne
Common Weakness Enumeration
References
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2659
https://secure.ucc.asn.au/hg/dropbear/rev/d7784616409a#l1.86
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2659
https://secure.ucc.asn.au/hg/dropbear/rev/d7784616409a#l1.86