CVE-2020-14145

5.9MEDIUM

Key Information:

Vendor
OpenBSD
Status
Openssh
Vendor
CVE Published:
29 June 2020

Summary

The client side in OpenSSH 5.7 through 8.4 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client). NOTE: some reports state that 8.5 and 8.6 are also affected.

References

https://github.com/openssh/openssh-portable/compare/V_8_3...
x_refsource_MISC
https://www.fzi.de/en/news/news/detail-en/artikel/fsa-202...
x_refsource_MISC
https://security.netapp.com/advisory/ntap-20200709-0004/
x_refsource_CONFIRM

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.