QwikSec

Security Database

CVE

CWE

Training

CVE-2016-6210

Published: Feb 13, 2017

Modified: May 29, 2026

PUBLISHED

Description

sshd in OpenSSH before 7.3, when SHA256 or SHA512 are used for user password hashing, uses BLOWFISH hashing on a static password when the username does not exist, which allows remote attackers to enumerate users by leveraging the timing difference between responses when a large password is provided.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

vendor-advisory

vdb-entry

20160714 opensshd - user enumeration

mailing-list

vendor-advisory

exploit

exploit

https://www.openssh.com/txt/release-7.3

vendor-advisory

vendor-advisory

vdb-entry

https://security.netapp.com/advisory/ntap-20190206-0001/

https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.