VDB
RHSA-2025%3A0552
RHSA-2025%3A0552
PUBLISHED
CVSS 8.199999809265137 HIGH
A flaw was found in the x/crypto/ssh go library. Applications and libraries that misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. For example, an attacker may send public keys A and B and authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B, for which the attacker does not control the private key. The misuse of ServerConfig.PublicKeyCallback may cause an authorization bypass.
Risk Scores
CVSS 3.1
8.199999809265137
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Red Hat | multicluster-engine/cluster-api-provider-aws-rhel8@sha256:bea0c96bee624376a20912bd158b2861844116f4e692c0fe76e0a0e09053834d_s390x as a component of multicluster engine for Kubernetes 2.4 for RHEL 8 | *, * |
| Red Hat | multicluster-engine/provider-credential-controller-rhel8@sha256:90f6e748f763aaeb3765a3dc3e29ff7854b5e03c9c736c44a80464cc18dc9575_arm64 as a component of multicluster engine for Kubernetes 2.4 for RHEL 8 | *, * |
| Red Hat | multicluster-engine/assisted-installer-rhel8@sha256:adfef0f4b6f0e1ff80faf2edb036fa612b8b462cc5dd25d2e1133a72a804c826_s390x as a component of multicluster engine for Kubernetes 2.4 for RHEL 8 | multicluster-engine/assisted-installer-rhel8@sha256:adfef0f4b6f0e1ff80faf2edb036fa612b8b462cc5dd25d2e1133a72a804c826_s390x |
| Red Hat | multicluster-engine/aws-encryption-provider-rhel8@sha256:d109655ca5f83da070a578c3e9b225d1f63fb6523461c2fd3bc1b9ea86ffeb13_ppc64le as a component of multicluster engine for Kubernetes 2.4 for RHEL 8 | multicluster-engine/aws-encryption-provider-rhel8@sha256:d109655ca5f83da070a578c3e9b225d1f63fb6523461c2fd3bc1b9ea86ffeb13_ppc64le, * |
| Red Hat | multicluster-engine/apiserver-network-proxy-rhel8@sha256:8c751b1ef9467a15cf117ce580224a86470ee4a6c0df2ca79ffd3bb8d29dd6bb_s390x as a component of multicluster engine for Kubernetes 2.4 for RHEL 8 | *, multicluster-engine/apiserver-network-proxy-rhel8@sha256:8c751b1ef9467a15cf117ce580224a86470ee4a6c0df2ca79ffd3bb8d29dd6bb_s390x |
| Red Hat | multicluster-engine/addon-manager-rhel8@sha256:8e360d0b2c3471faa15bb56672e9376b5c59dc095bbba99166a96df98faa6f7d_ppc64le as a component of multicluster engine for Kubernetes 2.4 for RHEL 8 | multicluster-engine/addon-manager-rhel8@sha256:8e360d0b2c3471faa15bb56672e9376b5c59dc095bbba99166a96df98faa6f7d_ppc64le |
| Red Hat | multicluster-engine/hypershift-rhel8-operator@sha256:030e5bb0f4c0179e0501bb9cce4a12f78bd74e22f993f3a16042dffc5336452c_s390x as a component of multicluster engine for Kubernetes 2.4 for RHEL 8 | multicluster-engine/hypershift-rhel8-operator@sha256:030e5bb0f4c0179e0501bb9cce4a12f78bd74e22f993f3a16042dffc5336452c_s390x, * |
| Red Hat | multicluster-engine/aws-encryption-provider-rhel8@sha256:e2230599d54a396b33c78d1ef51860941fb8d32c9ef6183f2044d18d3377dc73_arm64 as a component of multicluster engine for Kubernetes 2.4 for RHEL 8 | *, multicluster-engine/aws-encryption-provider-rhel8@sha256:e2230599d54a396b33c78d1ef51860941fb8d32c9ef6183f2044d18d3377dc73_arm64 |
| Red Hat | multicluster-engine/managedcluster-import-controller-rhel8@sha256:cc3b09fbb0a8ef67c26c93158e9eac3fb82235011e8a9f37749d1afe24f6e141_amd64 as a component of multicluster engine for Kubernetes 2.4 for RHEL 8 | *, multicluster-engine/managedcluster-import-controller-rhel8@sha256:cc3b09fbb0a8ef67c26c93158e9eac3fb82235011e8a9f37749d1afe24f6e141_amd64 |
| Red Hat | multicluster-engine/aws-encryption-provider-rhel8@sha256:7c081b1cf8d2c4fbbb8e3c7ec6510c0da038091b2d66e7ef17fda38d4fc56215_amd64 as a component of multicluster engine for Kubernetes 2.4 for RHEL 8 | multicluster-engine/aws-encryption-provider-rhel8@sha256:7c081b1cf8d2c4fbbb8e3c7ec6510c0da038091b2d66e7ef17fda38d4fc56215_amd64, * |
| Red Hat | multicluster-engine/placement-rhel8@sha256:903ac00e2b3012954e6f0006890b2c855071d1b57662f9253b435f54242ce191_amd64 as a component of multicluster engine for Kubernetes 2.4 for RHEL 8 | multicluster-engine/placement-rhel8@sha256:903ac00e2b3012954e6f0006890b2c855071d1b57662f9253b435f54242ce191_amd64, * |
| Red Hat | multicluster-engine/cluster-api-provider-aws-rhel8@sha256:54b5f4a1936d2c6fcaee7d032e677ae85fb5d2062469ea48c7be81e037b8a74d_ppc64le as a component of multicluster engine for Kubernetes 2.4 for RHEL 8 | multicluster-engine/cluster-api-provider-aws-rhel8@sha256:54b5f4a1936d2c6fcaee7d032e677ae85fb5d2062469ea48c7be81e037b8a74d_ppc64le, * |
| Red Hat | multicluster-engine/registration-rhel8@sha256:4c33cb263e08b24907b161828bc2104e0ca90c03297b8cf88af1fa81cbbed24a_ppc64le as a component of multicluster engine for Kubernetes 2.4 for RHEL 8 | *, multicluster-engine/registration-rhel8@sha256:4c33cb263e08b24907b161828bc2104e0ca90c03297b8cf88af1fa81cbbed24a_ppc64le |
| Red Hat | multicluster-engine/assisted-image-service-rhel8@sha256:69a265098a63d52b7fd48d0e203f98f65980a227bb84a12dc5b95faa9b8f6466_s390x as a component of multicluster engine for Kubernetes 2.4 for RHEL 8 | *, multicluster-engine/assisted-image-service-rhel8@sha256:69a265098a63d52b7fd48d0e203f98f65980a227bb84a12dc5b95faa9b8f6466_s390x |
| Red Hat | multicluster-engine/assisted-image-service-rhel8@sha256:69a265098a63d52b7fd48d0e203f98f65980a227bb84a12dc5b95faa9b8f6466_s390x as a component of multicluster engine for Kubernetes 2.4 for RHEL 8 | multicluster-engine/assisted-image-service-rhel8@sha256:69a265098a63d52b7fd48d0e203f98f65980a227bb84a12dc5b95faa9b8f6466_s390x |
| Red Hat | multicluster-engine/assisted-installer-reporter-rhel8@sha256:fb1d3465cff97b1a2a239d739e1104ca906dc4232963bbd518c5b786e76c6061_ppc64le as a component of multicluster engine for Kubernetes 2.4 for RHEL 8 | multicluster-engine/assisted-installer-reporter-rhel8@sha256:fb1d3465cff97b1a2a239d739e1104ca906dc4232963bbd518c5b786e76c6061_ppc64le |
| Red Hat | multicluster-engine/managedcluster-import-controller-rhel8@sha256:685449c2aa1c458d646e6aa6ec0a20e9ac47f61c03f95bf43e75aadd61f521fe_arm64 as a component of multicluster engine for Kubernetes 2.4 for RHEL 8 | multicluster-engine/managedcluster-import-controller-rhel8@sha256:685449c2aa1c458d646e6aa6ec0a20e9ac47f61c03f95bf43e75aadd61f521fe_arm64, * |
| Red Hat | multicluster-engine/assisted-installer-reporter-rhel8@sha256:7189cc7a296d6d4aaee6fc5c569975a5ec156a786c0ad749f802d516ff399802_arm64 as a component of multicluster engine for Kubernetes 2.4 for RHEL 8 | multicluster-engine/assisted-installer-reporter-rhel8@sha256:7189cc7a296d6d4aaee6fc5c569975a5ec156a786c0ad749f802d516ff399802_arm64 |
| Red Hat | multicluster-engine/cluster-proxy-rhel8@sha256:5f18dcfc45fc7e2a25df68b8d22edffaf05da92ff77ded40c35cf6d3e7fd04b0_ppc64le as a component of multicluster engine for Kubernetes 2.4 for RHEL 8 | multicluster-engine/cluster-proxy-rhel8@sha256:5f18dcfc45fc7e2a25df68b8d22edffaf05da92ff77ded40c35cf6d3e7fd04b0_ppc64le, * |
| Red Hat | multicluster-engine/agent-service-rhel8@sha256:e412e953db02a989fa39786d832f456be199cd2cd7cd9ff9d78b8beadc6de2fb_amd64 as a component of multicluster engine for Kubernetes 2.4 for RHEL 8 | *, * |
…and 268 more
Timeline
- Jan 21, 2025 CVE Published
- Apr 25, 2026 Distribution Patch
- Apr 25, 2026 Distribution Patch
- Apr 25, 2026 Security Advisory
- Apr 25, 2026 Security Advisory
- Apr 25, 2026 Security Advisory
- May 15, 2026 CVE Updated
References
- https://access.redhat.com/errata/RHSA-2025:0552 advisory
- https://access.redhat.com/security/updates/classification/#important advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2331720 issue
- https://bugzilla.redhat.com/show_bug.cgi?id=2333122 issue
- https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_0552.json advisory
- https://access.redhat.com/security/cve/CVE-2024-45337 advisory
- https://www.cve.org/CVERecord?id=CVE-2024-45337 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2024-45337 advisory
- https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909 advisory
- https://go.dev/cl/635315 advisory
- https://go.dev/issue/70779 advisory
- https://groups.google.com/g/golang-announce/c/-nPEi39gI4Q/m/cGVPJCqdAQAJ advisory
- https://pkg.go.dev/vuln/GO-2024-3321 advisory
- https://access.redhat.com/security/cve/CVE-2024-45338 advisory
- https://www.cve.org/CVERecord?id=CVE-2024-45338 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2024-45338 advisory
- https://go.dev/cl/637536 advisory
- https://go.dev/issue/70906 advisory
- https://groups.google.com/g/golang-announce/c/wSCRmFnNmPA/m/Lvcd0mRMAwAJ advisory
- https://pkg.go.dev/vuln/GO-2024-3333 advisory