VDB
RHSA-2025%3A0560
RHSA-2025%3A0560
PUBLISHED
CVSS 8.199999809265137 HIGH
A flaw was found in the x/crypto/ssh go library. Applications and libraries that misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. For example, an attacker may send public keys A and B and authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B, for which the attacker does not control the private key. The misuse of ServerConfig.PublicKeyCallback may cause an authorization bypass.
Risk Scores
CVSS 3.1
8.199999809265137
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Red Hat | multicluster-globalhub/multicluster-globalhub-operator-bundle@sha256:97dc40279be27a8d4acf86ad7b4e04ec95e7bb9f69b8986e819db482aa7af468_amd64 as a component of multicluster-globalhub 1.2 for RHEL 9 | multicluster-globalhub/multicluster-globalhub-operator-bundle@sha256:97dc40279be27a8d4acf86ad7b4e04ec95e7bb9f69b8986e819db482aa7af468_amd64, * |
| Red Hat | multicluster-globalhub/multicluster-globalhub-postgres-exporter-rhel9@sha256:77026e662d82ff9a493f75642589680f77eb505c356d5d9350d294a339a62706_ppc64le as a component of multicluster-globalhub 1.2 for RHEL 9 | * |
| Red Hat | multicluster-globalhub/multicluster-globalhub-operator-bundle@sha256:060b612bab17676dfe5c94bae81e2aa5dbf67fd0037e35f01569a541ab8c7fed_s390x as a component of multicluster-globalhub 1.2 for RHEL 9 | *, multicluster-globalhub/multicluster-globalhub-operator-bundle@sha256:060b612bab17676dfe5c94bae81e2aa5dbf67fd0037e35f01569a541ab8c7fed_s390x |
| Red Hat | multicluster-globalhub/multicluster-globalhub-manager-rhel9@sha256:9382c124b06c330569ba0b1f5dca7a5c682f093dd0a91ac355a693dc13cb420f_amd64 as a component of multicluster-globalhub 1.2 for RHEL 9 | multicluster-globalhub/multicluster-globalhub-manager-rhel9@sha256:9382c124b06c330569ba0b1f5dca7a5c682f093dd0a91ac355a693dc13cb420f_amd64 |
| Red Hat | multicluster-globalhub/multicluster-globalhub-agent-rhel9@sha256:c7fd8cdb5c38d05e7d9d84c8356b900188797f383165cf04ee5e053c1c0809ca_arm64 as a component of multicluster-globalhub 1.2 for RHEL 9 | *, multicluster-globalhub/multicluster-globalhub-agent-rhel9@sha256:c7fd8cdb5c38d05e7d9d84c8356b900188797f383165cf04ee5e053c1c0809ca_arm64 |
| Red Hat | multicluster-globalhub/multicluster-globalhub-operator-bundle@sha256:97dc40279be27a8d4acf86ad7b4e04ec95e7bb9f69b8986e819db482aa7af468_amd64 as a component of multicluster-globalhub 1.2 for RHEL 9 | multicluster-globalhub/multicluster-globalhub-operator-bundle@sha256:97dc40279be27a8d4acf86ad7b4e04ec95e7bb9f69b8986e819db482aa7af468_amd64 |
| Red Hat | multicluster-globalhub/multicluster-globalhub-manager-rhel9@sha256:3fdd61a6d8f1116335af5264a6f4ddcb5d33aa3b9955785230cc9f63836c758a_ppc64le as a component of multicluster-globalhub 1.2 for RHEL 9 | *, multicluster-globalhub/multicluster-globalhub-manager-rhel9@sha256:3fdd61a6d8f1116335af5264a6f4ddcb5d33aa3b9955785230cc9f63836c758a_ppc64le |
| Red Hat | multicluster-globalhub/multicluster-globalhub-rhel9-operator@sha256:65ef70042ee2eb74c96afaa0a9a0a0eb38c6078b3ef824f001200c50b426ddd1_s390x as a component of multicluster-globalhub 1.2 for RHEL 9 | * |
| Red Hat | multicluster-globalhub/multicluster-globalhub-grafana-rhel9@sha256:7f85e53b5418eec0afec9441a545dcfb58e2d68954bf4715c49aa285fa77caa3_amd64 as a component of multicluster-globalhub 1.2 for RHEL 9 | *, * |
| Red Hat | multicluster-globalhub/multicluster-globalhub-rhel9-operator@sha256:d9e0cbfb380a240379589319b6445ebc3518672e8449f5f1b7cd18633191f04b_arm64 as a component of multicluster-globalhub 1.2 for RHEL 9 | multicluster-globalhub/multicluster-globalhub-rhel9-operator@sha256:d9e0cbfb380a240379589319b6445ebc3518672e8449f5f1b7cd18633191f04b_arm64 |
| Red Hat | multicluster-globalhub/multicluster-globalhub-grafana-rhel9@sha256:7494ea507dc7a0a20033a90ecdae225f61dc093b1f01b0e372ef88df2a3c4d03_ppc64le as a component of multicluster-globalhub 1.2 for RHEL 9 | *, multicluster-globalhub/multicluster-globalhub-grafana-rhel9@sha256:7494ea507dc7a0a20033a90ecdae225f61dc093b1f01b0e372ef88df2a3c4d03_ppc64le |
| Red Hat | multicluster-globalhub/multicluster-globalhub-grafana-rhel9@sha256:0306beb5aeb6765ec794ccd272a75c208ceac1443bdd8108df09e9439ddbcccd_arm64 as a component of multicluster-globalhub 1.2 for RHEL 9 | multicluster-globalhub/multicluster-globalhub-grafana-rhel9@sha256:0306beb5aeb6765ec794ccd272a75c208ceac1443bdd8108df09e9439ddbcccd_arm64, * |
| Red Hat | multicluster-globalhub/multicluster-globalhub-rhel9-operator@sha256:af8f113e21a3fac9ace9de73125a450c7c761442e0360830be9211ca279201c8_ppc64le as a component of multicluster-globalhub 1.2 for RHEL 9 | multicluster-globalhub/multicluster-globalhub-rhel9-operator@sha256:af8f113e21a3fac9ace9de73125a450c7c761442e0360830be9211ca279201c8_ppc64le, * |
| Red Hat | multicluster-globalhub/multicluster-globalhub-agent-rhel9@sha256:ae480bebb429b3b67b3b401fd48e9be2ba846492668261612ab00904353dcff7_amd64 as a component of multicluster-globalhub 1.2 for RHEL 9 | *, multicluster-globalhub/multicluster-globalhub-agent-rhel9@sha256:ae480bebb429b3b67b3b401fd48e9be2ba846492668261612ab00904353dcff7_amd64 |
| Red Hat | multicluster-globalhub/multicluster-globalhub-postgres-exporter-rhel9@sha256:859b5f5ec4f75ccf01d8193f6605454ab962a9a5951a0a94ffd483be49dff37d_arm64 as a component of multicluster-globalhub 1.2 for RHEL 9 | * |
| Red Hat | multicluster-globalhub/multicluster-globalhub-operator-bundle@sha256:060b612bab17676dfe5c94bae81e2aa5dbf67fd0037e35f01569a541ab8c7fed_s390x as a component of multicluster-globalhub 1.2 for RHEL 9 | multicluster-globalhub/multicluster-globalhub-operator-bundle@sha256:060b612bab17676dfe5c94bae81e2aa5dbf67fd0037e35f01569a541ab8c7fed_s390x |
| Red Hat | multicluster-globalhub/multicluster-globalhub-postgres-exporter-rhel9@sha256:33bb15a3045bbd37de5787773094ff68019a99cd0871a350c3720c3fc2eac1e4_s390x as a component of multicluster-globalhub 1.2 for RHEL 9 | multicluster-globalhub/multicluster-globalhub-postgres-exporter-rhel9@sha256:33bb15a3045bbd37de5787773094ff68019a99cd0871a350c3720c3fc2eac1e4_s390x, * |
| Red Hat | multicluster-globalhub/multicluster-globalhub-postgres-exporter-rhel9@sha256:9dbc8cec0a932f8bfbe0f9c22df24371a0fe07fa721c601c25a77e835136642f_amd64 as a component of multicluster-globalhub 1.2 for RHEL 9 | multicluster-globalhub/multicluster-globalhub-postgres-exporter-rhel9@sha256:9dbc8cec0a932f8bfbe0f9c22df24371a0fe07fa721c601c25a77e835136642f_amd64, * |
| Red Hat | multicluster-globalhub/multicluster-globalhub-operator-bundle@sha256:85fafeaccf1496f1e4aed45800048ab3a8c092248e4269009be847d6e71f965e_arm64 as a component of multicluster-globalhub 1.2 for RHEL 9 | multicluster-globalhub/multicluster-globalhub-operator-bundle@sha256:85fafeaccf1496f1e4aed45800048ab3a8c092248e4269009be847d6e71f965e_arm64, * |
| Red Hat | multicluster-globalhub/multicluster-globalhub-manager-rhel9@sha256:3fdd61a6d8f1116335af5264a6f4ddcb5d33aa3b9955785230cc9f63836c758a_ppc64le as a component of multicluster-globalhub 1.2 for RHEL 9 | multicluster-globalhub/multicluster-globalhub-manager-rhel9@sha256:3fdd61a6d8f1116335af5264a6f4ddcb5d33aa3b9955785230cc9f63836c758a_ppc64le |
…and 28 more
Exploit Intelligence
- Proof of Concept for CVE-2024-45337 against Gitea and Forgejo (github-poc-repo)
- Fork of gogs/gogs for reachability benchmark testing (CVE-2024-45337) (github-poc-repo)
- Fork of gogs/gogs for reachability benchmark testing (CVE-2024-45337) (github-poc)
- Proof of Concept for CVE-2024-45337 against Gitea and Forgejo (github-poc)
- An example project that showcases golang code vulnerable to CVE-2024-45337 (github-poc)
- Proof of concept (POC) for CVE-2024-45337 (github-poc)
- .trivyignore.yaml (github-poc)
- DemoReseedInfra.kt (github-poc)
- ssh.go (github-poc)
- cve.pl (github-poc)
…and 3 more exploits
Timeline
- Jan 21, 2025 CVE Published
- Apr 25, 2026 Distribution Patch
- Apr 25, 2026 Distribution Patch
- Apr 25, 2026 Security Advisory
- Apr 25, 2026 Security Advisory
- Apr 25, 2026 Security Advisory
- May 15, 2026 CVE Updated
References
- https://access.redhat.com/errata/RHSA-2025:0560 advisory
- https://access.redhat.com/security/updates/classification/#important advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2331720 issue
- https://bugzilla.redhat.com/show_bug.cgi?id=2333122 issue
- https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_0560.json advisory
- https://access.redhat.com/security/cve/CVE-2024-45337 advisory
- https://www.cve.org/CVERecord?id=CVE-2024-45337 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2024-45337 advisory
- https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909 advisory
- https://go.dev/cl/635315 advisory
- https://go.dev/issue/70779 advisory
- https://groups.google.com/g/golang-announce/c/-nPEi39gI4Q/m/cGVPJCqdAQAJ advisory
- https://pkg.go.dev/vuln/GO-2024-3321 advisory
- https://access.redhat.com/security/cve/CVE-2024-45338 advisory
- https://www.cve.org/CVERecord?id=CVE-2024-45338 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2024-45338 advisory
- https://go.dev/cl/637536 advisory
- https://go.dev/issue/70906 advisory
- https://groups.google.com/g/golang-announce/c/wSCRmFnNmPA/m/Lvcd0mRMAwAJ advisory
- https://pkg.go.dev/vuln/GO-2024-3333 advisory