VDB
RHSA-2025%3A0385
RHSA-2025%3A0385
PUBLISHED
CVSS 8.199999809265137 HIGH
A flaw was found in the x/crypto/ssh go library. Applications and libraries that misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. For example, an attacker may send public keys A and B and authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B, for which the attacker does not control the private key. The misuse of ServerConfig.PublicKeyCallback may cause an authorization bypass.
Risk Scores
CVSS 3.1
8.199999809265137
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Red Hat | rhacm2/volsync-rhel9@sha256:9a882ab03dedd84c31280b22811e4642989cc6a96820a3a003f091a50462dfa0_amd64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.12 for RHEL 9 | rhacm2/volsync-rhel9@sha256:9a882ab03dedd84c31280b22811e4642989cc6a96820a3a003f091a50462dfa0_amd64 |
| Red Hat | rhacm2/volsync-rhel9@sha256:67d36bc0e9fa06e9a9fa039d06c895e67813a4e6be9c034410766296196870e0_s390x as a component of Red Hat Advanced Cluster Management for Kubernetes 2.12 for RHEL 9 | *, rhacm2/volsync-rhel9@sha256:67d36bc0e9fa06e9a9fa039d06c895e67813a4e6be9c034410766296196870e0_s390x |
| Red Hat | rhacm2/volsync-rhel9@sha256:5b093fc18988671085c78478167fb45b7d2fca1a0ae56860dae6dfe05ea61ee7_arm64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.12 for RHEL 9 | rhacm2/volsync-rhel9@sha256:5b093fc18988671085c78478167fb45b7d2fca1a0ae56860dae6dfe05ea61ee7_arm64, * |
| Red Hat | rhacm2/volsync-rhel9@sha256:67d36bc0e9fa06e9a9fa039d06c895e67813a4e6be9c034410766296196870e0_s390x as a component of Red Hat Advanced Cluster Management for Kubernetes 2.12 for RHEL 9 | * |
| Red Hat | rhacm2/volsync-rhel9@sha256:9a882ab03dedd84c31280b22811e4642989cc6a96820a3a003f091a50462dfa0_amd64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.12 for RHEL 9 | *, * |
| Red Hat | rhacm2/volsync-rhel9@sha256:5b093fc18988671085c78478167fb45b7d2fca1a0ae56860dae6dfe05ea61ee7_arm64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.12 for RHEL 9 | * |
| Red Hat | rhacm2/volsync-rhel9@sha256:65c8d7313d6dd1d6a61cbba457639bbce9e5f3adea53c6c17ad939d72a875d34_ppc64le as a component of Red Hat Advanced Cluster Management for Kubernetes 2.12 for RHEL 9 | rhacm2/volsync-rhel9@sha256:65c8d7313d6dd1d6a61cbba457639bbce9e5f3adea53c6c17ad939d72a875d34_ppc64le, * |
| Red Hat | rhacm2/volsync-rhel9@sha256:65c8d7313d6dd1d6a61cbba457639bbce9e5f3adea53c6c17ad939d72a875d34_ppc64le as a component of Red Hat Advanced Cluster Management for Kubernetes 2.12 for RHEL 9 | rhacm2/volsync-rhel9@sha256:65c8d7313d6dd1d6a61cbba457639bbce9e5f3adea53c6c17ad939d72a875d34_ppc64le |
| Red Hat | rhacm2/volsync-operator-bundle@sha256:b1eb7e31f2a3e3371231223e01f4d06b609340b2403b53491c7a19c6d482609a_amd64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.12 for RHEL 9 | rhacm2/volsync-operator-bundle@sha256:b1eb7e31f2a3e3371231223e01f4d06b609340b2403b53491c7a19c6d482609a_amd64 |
| Red Hat | rhacm2/volsync-operator-bundle@sha256:b1eb7e31f2a3e3371231223e01f4d06b609340b2403b53491c7a19c6d482609a_amd64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.12 for RHEL 9 | rhacm2/volsync-operator-bundle@sha256:b1eb7e31f2a3e3371231223e01f4d06b609340b2403b53491c7a19c6d482609a_amd64, * |
Timeline
- Jan 16, 2025 CVE Published
- Apr 25, 2026 Distribution Patch
- Apr 25, 2026 Distribution Patch
- Apr 25, 2026 Security Advisory
- Apr 25, 2026 Security Advisory
- Apr 25, 2026 Security Advisory
- Apr 25, 2026 Security Advisory
- May 15, 2026 CVE Updated
References
- https://access.redhat.com/errata/RHSA-2025:0385 advisory
- https://access.redhat.com/security/updates/classification/#important advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2329991 issue
- https://bugzilla.redhat.com/show_bug.cgi?id=2331720 issue
- https://bugzilla.redhat.com/show_bug.cgi?id=2333122 issue
- https://issues.redhat.com/browse/ACM-16525 advisory
- https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_0385.json advisory
- https://access.redhat.com/security/cve/CVE-2024-45337 advisory
- https://www.cve.org/CVERecord?id=CVE-2024-45337 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2024-45337 advisory
- https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909 advisory
- https://go.dev/cl/635315 advisory
- https://go.dev/issue/70779 advisory
- https://groups.google.com/g/golang-announce/c/-nPEi39gI4Q/m/cGVPJCqdAQAJ advisory
- https://pkg.go.dev/vuln/GO-2024-3321 advisory
- https://access.redhat.com/security/cve/CVE-2024-45338 advisory
- https://www.cve.org/CVERecord?id=CVE-2024-45338 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2024-45338 advisory
- https://go.dev/cl/637536 advisory
- https://go.dev/issue/70906 advisory
…and 9 more