{"id":"CVE-2018-15919","details":"Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or \"oracle\") as a vulnerability.'","modified":"2026-03-13T23:34:26.089830Z","published":"2018-08-28T08:29:00.207Z","references":[{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/105163"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20181221-0001/"},{"type":"FIX","url":"http://seclists.org/oss-sec/2018/q3/180"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/openssh/openssh-portable","events":[{"introduced":"5643cf0fc4d71e783c6aef2574684f07d21945ab"},{"last_affected":"71508e06fab14bc415a79a08f5535ad7bffa93d9"}],"database_specific":{"versions":[{"introduced":"5.9"},{"last_affected":"7.8"}]}}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-15919.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}]}