CVE-2009-1273
EPSS 0.36%
Description
pam_ssh 1.92 and possibly other versions, as used when PAM is compiled with USE=ssh, generates different error messages depending on whether the username is valid or invalid, which makes it easier for remote attackers to enumerate usernames.
How to fix CVE-2009-1273
To remediate CVE-2009-1273, upgrade the affected package to a fixed version below.
- Debian/libpam-ssh—upgrade to 1.92-7 or later
Is CVE-2009-1273 being exploited?
Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 1.92-7