CVE-2020-16259

Name of the Vulnerable Software and Affected Versions Winston version 1.5.4

Description The issue concerns an undocumented SSH user account in Winston devices, which allows access from bastion hosts. This account is not mentioned in device documentation and its existence is not disclosed to users.

Recommendations For Winston version 1.5.4, consider restricting access to the undocumented SSH user account to minimize potential risks until a formal fix or documentation update is provided. As a temporary workaround, review and adjust device configurations to limit access from bastion hosts. At the moment, there is no information about a newer version that contains a fix for this vulnerability.