CVE-2020-14145 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.9 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA-ADP	ADP	5.9 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 79%

Affected Products (NVD)

Vendor	Product	Version
openbsd	openssh	5.7 ≤ 𝑥 < 8.4
openbsd	openssh	8.4
openbsd	openssh	8.5
openbsd	openssh	8.6
netapp	aff_a700s_firmware	-
netapp	active_iq_unified_manager	9.5 ≤
netapp	hci_management_node	-
netapp	ontap_select_deploy_administration_utility	-
netapp	solidfire	-
netapp	steelstore_cloud_integrated_storage	-
netapp	hci_compute_node	-
netapp	hci_storage_node	-

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

openssh

bookworm	unimportant
bookworm (security)	unimportant
bullseye	unimportant
bullseye (security)	unimportant
sid	unimportant
trixie	unimportant

Ubuntu Releases

Ubuntu Product

Codename

openssh

bionic	ignored
eoan	ignored
focal	ignored
groovy	ignored
hirsute	ignored
impish	ignored
jammy	ignored
kinetic	ignored
lunar	ignored
mantic	ignored
trusty	ignored
xenial	ignored

openssh-ssh1

bionic	ignored
eoan	ignored
focal	ignored
groovy	ignored
hirsute	ignored
impish	ignored
jammy	ignored
kinetic	ignored
lunar	ignored
mantic	ignored
trusty	dne
xenial	dne

Common Weakness Enumeration

CWE-203 - Observable Discrepancy
The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.

References

http://www.openwall.com/lists/oss-security/2020/12/02/1

https://anongit.mindrot.org/openssh.git/commit/?id=b3855ff053f5078ec3d3c653cdaedefaa5fc362d

https://docs.ssh-mitm.at/CVE-2020-14145.html

https://github.com/openssh/openssh-portable/compare/V_8_3_P1...V_8_4_P1

https://github.com/ssh-mitm/ssh-mitm/blob/master/ssh_proxy_server/plugins/session/cve202014145.py

https://security.gentoo.org/glsa/202105-35

https://security.netapp.com/advisory/ntap-20200709-0004/

https://www.fzi.de/en/news/news/detail-en/artikel/fsa-2020-2-ausnutzung-eines-informationslecks-fuer-gezielte-mitm-angriffe-auf-ssh-clients/

http://www.openwall.com/lists/oss-security/2020/12/02/1

https://anongit.mindrot.org/openssh.git/commit/?id=b3855ff053f5078ec3d3c653cdaedefaa5fc362d

https://docs.ssh-mitm.at/CVE-2020-14145.html

https://github.com/openssh/openssh-portable/compare/V_8_3_P1...V_8_4_P1

https://github.com/ssh-mitm/ssh-mitm/blob/master/ssh_proxy_server/plugins/session/cve202014145.py

https://security.gentoo.org/glsa/202105-35

https://security.netapp.com/advisory/ntap-20200709-0004/

https://www.fzi.de/en/news/news/detail-en/artikel/fsa-2020-2-ausnutzung-eines-informationslecks-fuer-gezielte-mitm-angriffe-auf-ssh-clients/