What is GHSA-84j4-ccmw-hwpg?

GHSA-84j4-ccmw-hwpg is a security advisory published by GitHub Security Advisories with Medium severity. OpenSSH through 8.7 allows remote attackers, who have a suspicion that a certain combination of...

Which CVE IDs does GHSA-84j4-ccmw-hwpg cover?

GHSA-84j4-ccmw-hwpg covers the following CVE IDs: CVE-2016-20012. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-84j4-ccmw-hwpg?

GHSA-84j4-ccmw-hwpg has a CVSS v3 base score of 5.3, published by GitHub Security Advisories.

GHSA-84j4-ccmw-hwpgMediumCVSS 5.3

OpenSSH through 8.7 allows remote attackers, who have a suspicion that a certain combination of...

Vendor

GitHub Security Advisories

Published

May 24, 2022

Last Modified

May 29, 2026

🔗 CVE IDs covered (1)

CVE-2016-20012 →

📋 Description

OpenSSH through 8.7 allows remote attackers, who have a suspicion that a certain combination of username and public key is known to an SSH server, to test whether this suspicion is correct. This occurs because a challenge is sent only when that combination could be valid for a login session.

🔗 References (10)

https://nvd.nist.gov/vuln/detail/CVE-2016-20012
https://github.com/openssh/openssh-portable/pull/270
https://github.com/openssh/openssh-portable/pull/270#issuecomment-920577097
https://github.com/openssh/openssh-portable/pull/270#issuecomment-943909185
https://github.com/openssh/openssh-portable/blob/d0fffc88c8fe90c1815c6f4097bc8cbcabc0f3dd/auth2-pubkey.c#L261-L265
https://utcc.utoronto.ca/~cks/space/blog/tech/SSHKeysAreInfoLeak
https://www.openwall.com/lists/oss-security/2018/08/24/1
https://rushter.com/blog/public-ssh-keys
https://security.netapp.com/advisory/ntap-20211014-0005
https://github.com/advisories/GHSA-84j4-ccmw-hwpg