{"id":"CVE-2020-14145","details":"The client side in OpenSSH 5.7 through 8.4 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client). NOTE: some reports state that 8.5 and 8.6 are also affected.","modified":"2026-04-24T06:42:50.481346577Z","published":"2020-06-29T18:15:11.940Z","related":["ALSA-2021:4368","SUSE-SU-2020:3736-1","SUSE-SU-2020:3844-1","SUSE-SU-2020:3866-1","SUSE-SU-2020:3882-1","SUSE-SU-2021:0022-1","openSUSE-SU-2020:2240-1","openSUSE-SU-2020:2298-1"],"references":[{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2020/12/02/1"},{"type":"ADVISORY","url":"https://anongit.mindrot.org/openssh.git/commit/?id=b3855ff053f5078ec3d3c653cdaedefaa5fc362d"},{"type":"ADVISORY","url":"https://docs.ssh-mitm.at/CVE-2020-14145.html"},{"type":"ADVISORY","url":"https://github.com/openssh/openssh-portable/compare/V_8_3_P1...V_8_4_P1"},{"type":"ADVISORY","url":"https://github.com/ssh-mitm/ssh-mitm/blob/master/ssh_proxy_server/plugins/session/cve202014145.py"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202105-35"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20200709-0004/"},{"type":"ADVISORY","url":"https://www.fzi.de/en/news/news/detail-en/artikel/fsa-2020-2-ausnutzung-eines-informationslecks-fuer-gezielte-mitm-angriffe-auf-ssh-clients/"},{"type":"FIX","url":"http://www.openwall.com/lists/oss-security/2020/12/02/1"},{"type":"FIX","url":"https://anongit.mindrot.org/openssh.git/commit/?id=b3855ff053f5078ec3d3c653cdaedefaa5fc362d"},{"type":"FIX","url":"https://github.com/openssh/openssh-portable/compare/V_8_3_P1...V_8_4_P1"},{"type":"ARTICLE","url":"http://www.openwall.com/lists/oss-security/2020/12/02/1"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/openssh/openssh-portable","events":[{"introduced":"6f8f04b860765da07938bfe1fef017b00c3a3d55"},{"fixed":"279261e1ea8150c7c64ab5fe7cb4a4ea17acbb29"}]}],"versions":["V_5_7_P1","V_6_0_P1","V_6_1_P1","V_6_2_P1","V_6_5_P1","V_6_6_P1","V_6_8_P1","V_6_9_P1","V_7_0_P1","V_7_1_P1","V_7_2_P1","V_7_3_P1","V_7_4_P1","V_7_5_P1","V_7_6_P1","V_7_7_P1","V_7_8_P1","V_7_9_P1","V_8_0_P1","V_8_1_P1","V_8_2_P1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-14145.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}