DEBIAN-CVE-2003-0190

DEBIAN-CVE-2003-0190 PUBLISHED

OpenSSH-portable (OpenSSH) 3.6.1p1 and earlier with PAM support enabled immediately sends an error message when a user does not exist, which allows remote attackers to determine valid usernames via a timing attack.

Affected Products

Vendor	Product	Versions
Debian:13	openssh	0, 0, 0
Debian:14	openssh	0, 0, 0
Debian:11	openssh	0, 0, 0
Debian:12	openssh	0, 0, 0

Timeline

May 12, 2003 CVE Published
Apr 28, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2003-0190 advisory

Open in Interactive Console →