Back to search
CVE-2016-20012
Published: Sep 15, 2021
Modified: May 29, 2026
PUBLISHED
Description
OpenSSH through 8.7 allows remote attackers, who have a suspicion that a certain combination of username and public key is known to an SSH server, to test whether this suspicion is correct. This occurs because a challenge is sent only when that combination could be valid for a login session. NOTE: the vendor does not recognize user enumeration as a vulnerability for this product
| Vendor | Product | Versions |
|---|---|---|
n/a | n/a | affected n/a |
References
https://github.com/openssh/openssh-portable/pull/270
x_refsource_MISC
https://utcc.utoronto.ca/~cks/space/blog/tech/SSHKeysAreInfoLeak
x_refsource_MISC
https://rushter.com/blog/public-ssh-keys/
x_refsource_MISC
https://security.netapp.com/advisory/ntap-20211014-0005/
x_refsource_CONFIRM
https://www.openwall.com/lists/oss-security/2018/08/24/1
x_refsource_MISC
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now