What is GHSA-7m62-4jfr-67wh?

GHSA-7m62-4jfr-67wh is a security advisory published by GitHub Security Advisories with High severity. OpenSSH 5.6 and earlier, when J-PAKE is enabled, does not properly validate the public parameters...

Which CVE IDs does GHSA-7m62-4jfr-67wh cover?

GHSA-7m62-4jfr-67wh covers the following CVE IDs: CVE-2010-4478. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-7m62-4jfr-67wh?

GHSA-7m62-4jfr-67wh has a CVSS v3 base score of 9.8, published by GitHub Security Advisories.

GHSA-7m62-4jfr-67whHighCVSS 9.8

OpenSSH 5.6 and earlier, when J-PAKE is enabled, does not properly validate the public parameters...

Vendor

GitHub Security Advisories

Published

May 17, 2022

Last Modified

May 28, 2026

🔗 CVE IDs covered (1)

CVE-2010-4478 →

📋 Description

OpenSSH 5.6 and earlier, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol, which allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round of the protocol, a related issue to CVE-2010-4252.

🔗 References (10)

https://nvd.nist.gov/vuln/detail/CVE-2010-4478
https://bugzilla.redhat.com/show_bug.cgi?id=659297
https://github.com/seb-m/jpake
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12338
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10673
http://seb.dbzteam.org/crypto/jpake-session-key-retrieval.pdf
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/jpake.c#rev1.5
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/jpake.c.diff?r1=1.4;r2=1.5;f=h
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/jpake.c.diff?r1=1.4%3Br2=1.5%3Bf=h
https://github.com/advisories/GHSA-7m62-4jfr-67wh