The client side in OpenSSH 5.7 through 8.3 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client).
Created openssh tracking bugs for this issue:
Affects: fedora-all [bug 1852931]
This attack is only feasible when connecting to a malicious man-in-the-middle SSH servers, whose host keys have not been verified by the ssh client side users. The attacker can only detect if the client is using a host key from its key store or new host key has been presented to it. Therefore does not present a real world attack scenario.
Always connect to SSH servers with verified host keys to avoid any possibilities of man-in-the-middle attack.