VDB
CVE-2018-15599
CVE-2018-15599
PUBLISHED
The recv_msg_userauth_request function in svr-auth.c in Dropbear through 2018.76 is prone to a user enumeration vulnerability because username validity affects how fields in SSH_MSG_USERAUTH messages are handled, a similar issue to CVE-2018-15473 in an unrelated codebase.
EPSS 0.52% · 67.2th percentile
Risk Scores
EPSS Score
0.52%
67.2th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:16.04:LTS | dropbear | 2015.71-1, 2015.68-1, 2015.70-1 |
| Ubuntu:Pro:18.04:LTS | dropbear | 2017.75-2, 2017.75-3build1, * |
Timeline
- Aug 21, 2018 CVE Published
- Apr 14, 2021 EPSS Score
- Jun 22, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Oct 25, 2021 EPSS Score
- Dec 27, 2021 EPSS Score
- Feb 27, 2022 EPSS Score
- May 1, 2022 EPSS Score
- Jul 2, 2022 EPSS Score
- Nov 5, 2022 EPSS Score
- Jan 7, 2023 EPSS Score
- Mar 7, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2018-15599 third-party-advisory
- http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2018q3/002108.html third-party-advisory
- http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2018q3/002109.html third-party-advisory
- https://old.reddit.com/r/blackhat/comments/97ywnm/openssh_username_enumeration/e4e05n2/ third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2018-15599 third-party-advisory