CVE-2007-2768 - Vulnerability Details - OpenCVE

OpenSSH, when using OPIE (One-Time Passwords in Everything) for PAM, allows remote attackers to determine the existence of certain user accounts, which displays a different response if the user account exists and is configured to use one-time passwords (OTP), a similar issue to CVE-2007-2243.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Netapp	Hci Management Node Hci Storage Node Solidfire Steelstore Cloud Integrated Storage
Openbsd	Openssh

Configuration 1 [-]

cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:a:netapp:hci_management_node:-:::::::*
	cpe:2.3:a:netapp:solidfire:-:::::::*
	cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:::::::*
	cpe:2.3:h:netapp:hci_storage_node:-:::::::*

No data.

References

Link	Providers
http://archives.neohapsis.com/archives/fulldisclosure/2007-04/0635.html
http://www.osvdb.org/34601
https://security.netapp.com/advisory/ntap-20191107-0002/

History

Wed, 16 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00256}`	epss `{'score': 0.0024}`

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2007-05-21T20:00:00

Updated: 2024-08-07T13:49:57.388Z

Reserved: 2007-05-21T00:00:00

Link: CVE-2007-2768

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2007-05-21T20:30:00.000

Modified: 2025-04-09T00:30:58.490

Link: CVE-2007-2768

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2007-04-24T00:00:00", "descriptions": [{"lang": "en", "value": "OpenSSH, when using OPIE (One-Time Passwords in Everything) for PAM, allows remote attackers to determine the existence of certain user accounts, which displays a different response if the user account exists and is configured to use one-time passwords (OTP), a similar issue to CVE-2007-2243."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-11-07T09:06:29", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "34601", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://www.osvdb.org/34601"}, {"name": "20070424 Re: OpenSSH - System Account Enumeration if S/Key is used", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://archives.neohapsis.com/archives/fulldisclosure/2007-04/0635.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20191107-0002/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2007-2768", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "OpenSSH, when using OPIE (One-Time Passwords in Everything) for PAM, allows remote attackers to determine the existence of certain user accounts, which displays a different response if the user account exists and is configured to use one-time passwords (OTP), a similar issue to CVE-2007-2243."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "34601", "refsource": "OSVDB", "url": "http://www.osvdb.org/34601"}, {"name": "20070424 Re: OpenSSH - System Account Enumeration if S/Key is used", "refsource": "FULLDISC", "url": "http://archives.neohapsis.com/archives/fulldisclosure/2007-04/0635.html"}, {"name": "https://security.netapp.com/advisory/ntap-20191107-0002/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20191107-0002/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T13:49:57.388Z"}, "title": "CVE Program Container", "references": [{"name": "34601", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://www.osvdb.org/34601"}, {"name": "20070424 Re: OpenSSH - System Account Enumeration if S/Key is used", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "http://archives.neohapsis.com/archives/fulldisclosure/2007-04/0635.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20191107-0002/"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2007-2768", "datePublished": "2007-05-21T20:00:00", "dateReserved": "2007-05-21T00:00:00", "dateUpdated": "2024-08-07T13:49:57.388Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*", "matchCriteriaId": "C6D7D468-C829-4A4E-8865-E62D8EC5E274", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netapp:hci_management_node:-:*:*:*:*:*:*:*", "matchCriteriaId": "A3C19813-E823-456A-B1CE-EC0684CE1953", "vulnerable": true}, {"criteria": "cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:*", "matchCriteriaId": "A6E9EF0C-AFA8-4F7B-9FDC-1E0F7C26E737", "vulnerable": true}, {"criteria": "cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*", "matchCriteriaId": "E94F7F59-1785-493F-91A7-5F5EA5E87E4D", "vulnerable": true}, {"criteria": "cpe:2.3:h:netapp:hci_storage_node:-:*:*:*:*:*:*:*", "matchCriteriaId": "02DEB4FB-A21D-4CB1-B522-EEE5093E8521", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenSSH, when using OPIE (One-Time Passwords in Everything) for PAM, allows remote attackers to determine the existence of certain user accounts, which displays a different response if the user account exists and is configured to use one-time passwords (OTP), a similar issue to CVE-2007-2243."}, {"lang": "es", "value": "OpenSSH, cuando utiliza OPIE(One-Time Passwords in Everything) para PAM, permiet a atacantes remotos determinar la existencia de ciertas cuentas de usuarios, lo cual muestra una respuesta diferente si la cuenta de usuario existe y si est\u00e1 configurada para utilizar one-time passwords (OTP), un asunto similar es el CVE-2007-2243."}], "id": "CVE-2007-2768", "lastModified": "2025-04-09T00:30:58.490", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2007-05-21T20:30:00.000", "references": [{"source": "cve@mitre.org", "tags": ["Broken Link"], "url": "http://archives.neohapsis.com/archives/fulldisclosure/2007-04/0635.html"}, {"source": "cve@mitre.org", "tags": ["Broken Link"], "url": "http://www.osvdb.org/34601"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20191107-0002/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "http://archives.neohapsis.com/archives/fulldisclosure/2007-04/0635.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "http://www.osvdb.org/34601"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20191107-0002/"}], "sourceIdentifier": "cve@mitre.org", "vendorComments": [{"comment": "Not vulnerable. OPIE for PAM is not shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.", "lastModified": "2007-05-23T00:00:00", "organization": "Red Hat"}], "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}