VDB
RHSA-2025%3A0576
RHSA-2025%3A0576
PUBLISHED
CVSS 8.199999809265137 HIGH
A flaw was found in the x/crypto/ssh go library. Applications and libraries that misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. For example, an attacker may send public keys A and B and authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B, for which the attacker does not control the private key. The misuse of ServerConfig.PublicKeyCallback may cause an authorization bypass.
Risk Scores
CVSS 3.1
8.199999809265137
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Red Hat | rhacm2/acm-search-indexer-rhel8@sha256:6614a7fecf1fd4abfe614d49eaa8bafa2a4ff6c65ed1f6c169c4a5c0354f516c_s390x as a component of Red Hat Advanced Cluster Management for Kubernetes 2.9 for RHEL 8 | *, rhacm2/acm-search-indexer-rhel8@sha256:6614a7fecf1fd4abfe614d49eaa8bafa2a4ff6c65ed1f6c169c4a5c0354f516c_s390x |
| Red Hat | rhacm2/insights-client-rhel8@sha256:5aab7ede8bea8f5e1f49c68f6b3a7d10d4925b43b434ce1b7a0c68fc07818ed0_amd64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.9 for RHEL 8 | *, rhacm2/insights-client-rhel8@sha256:5aab7ede8bea8f5e1f49c68f6b3a7d10d4925b43b434ce1b7a0c68fc07818ed0_amd64 |
| Red Hat | rhacm2/multicloud-integrations-rhel8@sha256:7271ce1d9e519e1940c5d7e7ca04c7d16c9a603decb5627794817affe0c0ac1b_s390x as a component of Red Hat Advanced Cluster Management for Kubernetes 2.9 for RHEL 8 | rhacm2/multicloud-integrations-rhel8@sha256:7271ce1d9e519e1940c5d7e7ca04c7d16c9a603decb5627794817affe0c0ac1b_s390x |
| Red Hat | rhacm2/node-exporter-rhel8@sha256:8055cf0b104ce23e4102b14482dbf16eab77bac6d5dcee8cc7dab99fd35b5365_s390x as a component of Red Hat Advanced Cluster Management for Kubernetes 2.9 for RHEL 8 | rhacm2/node-exporter-rhel8@sha256:8055cf0b104ce23e4102b14482dbf16eab77bac6d5dcee8cc7dab99fd35b5365_s390x |
| Red Hat | rhacm2/acm-search-indexer-rhel8@sha256:9d69264fb6aa81e895d50782c684470671aa12741fca85a86b9a852ed6afd87a_amd64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.9 for RHEL 8 | * |
| Red Hat | rhacm2/iam-policy-controller-rhel8@sha256:633d55b53a4f61da1f6c4e7c61bcfcf561332a1afb28e87b867c1dbe4d736b01_ppc64le as a component of Red Hat Advanced Cluster Management for Kubernetes 2.9 for RHEL 8 | rhacm2/iam-policy-controller-rhel8@sha256:633d55b53a4f61da1f6c4e7c61bcfcf561332a1afb28e87b867c1dbe4d736b01_ppc64le |
| Red Hat | rhacm2/search-collector-rhel8@sha256:c1de028c40767498f1bafdadd35191607234f3ac61d079b43d6974787d2a3cf8_amd64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.9 for RHEL 8 | *, rhacm2/search-collector-rhel8@sha256:c1de028c40767498f1bafdadd35191607234f3ac61d079b43d6974787d2a3cf8_amd64 |
| Red Hat | rhacm2/search-collector-rhel8@sha256:d0bdc0ce43c70919e7644a3206a60228d6930eb7e8a7f72b80b3c9b88977b1f7_arm64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.9 for RHEL 8 | rhacm2/search-collector-rhel8@sha256:d0bdc0ce43c70919e7644a3206a60228d6930eb7e8a7f72b80b3c9b88977b1f7_arm64 |
| Red Hat | rhacm2/thanos-receive-controller-rhel8@sha256:af0add787325176e9f47b598786beb154e52534a4f825bfb84cb22009b8ab479_arm64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.9 for RHEL 8 | rhacm2/thanos-receive-controller-rhel8@sha256:af0add787325176e9f47b598786beb154e52534a4f825bfb84cb22009b8ab479_arm64 |
| Red Hat | rhacm2/node-exporter-rhel8@sha256:8055cf0b104ce23e4102b14482dbf16eab77bac6d5dcee8cc7dab99fd35b5365_s390x as a component of Red Hat Advanced Cluster Management for Kubernetes 2.9 for RHEL 8 | rhacm2/node-exporter-rhel8@sha256:8055cf0b104ce23e4102b14482dbf16eab77bac6d5dcee8cc7dab99fd35b5365_s390x, * |
| Red Hat | rhacm2/acm-search-indexer-rhel8@sha256:6614a7fecf1fd4abfe614d49eaa8bafa2a4ff6c65ed1f6c169c4a5c0354f516c_s390x as a component of Red Hat Advanced Cluster Management for Kubernetes 2.9 for RHEL 8 | rhacm2/acm-search-indexer-rhel8@sha256:6614a7fecf1fd4abfe614d49eaa8bafa2a4ff6c65ed1f6c169c4a5c0354f516c_s390x |
| Red Hat | rhacm2/endpoint-monitoring-rhel8-operator@sha256:201fb630c9f1bb568720f02a9c204c7a47ea68c27bba47478bc635e1772bf331_arm64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.9 for RHEL 8 | rhacm2/endpoint-monitoring-rhel8-operator@sha256:201fb630c9f1bb568720f02a9c204c7a47ea68c27bba47478bc635e1772bf331_arm64 |
| Red Hat | rhacm2/grafana-dashboard-loader-rhel8@sha256:acadd3ee6cc8a2a1702fc0c32e5e51bfebd8985a37e7ff825c75d4c8ee2145f5_amd64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.9 for RHEL 8 | rhacm2/grafana-dashboard-loader-rhel8@sha256:acadd3ee6cc8a2a1702fc0c32e5e51bfebd8985a37e7ff825c75d4c8ee2145f5_amd64 |
| Red Hat | rhacm2/grafana-dashboard-loader-rhel8@sha256:d9695a6e49130b6a374136e6cc31c20f15c4b9675c4cf32d13d5867ba2a74c9d_arm64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.9 for RHEL 8 | *, rhacm2/grafana-dashboard-loader-rhel8@sha256:d9695a6e49130b6a374136e6cc31c20f15c4b9675c4cf32d13d5867ba2a74c9d_arm64 |
| Red Hat | rhacm2/observatorium-rhel8@sha256:78f19022ecf32769f096008b81cb559def1bc941d8d4392241630b7a47d71820_arm64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.9 for RHEL 8 | *, rhacm2/observatorium-rhel8@sha256:78f19022ecf32769f096008b81cb559def1bc941d8d4392241630b7a47d71820_arm64 |
| Red Hat | rhacm2/multicloud-integrations-rhel8@sha256:4071261c8b55a4c3d546ff747776eb22feb3d653328b4a7c723d25533e951457_arm64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.9 for RHEL 8 | * |
| Red Hat | rhacm2/multicluster-operators-subscription-rhel8@sha256:ded57a66cc819becc06769c36a277d0845bba3a91254ccebf81eff611a94308a_s390x as a component of Red Hat Advanced Cluster Management for Kubernetes 2.9 for RHEL 8 | rhacm2/multicluster-operators-subscription-rhel8@sha256:ded57a66cc819becc06769c36a277d0845bba3a91254ccebf81eff611a94308a_s390x |
| Red Hat | rhacm2/multicluster-operators-channel-rhel8@sha256:d4919beefa2863ced9679a735423507834dfa81cf09a253a0420346882aef0cb_amd64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.9 for RHEL 8 | rhacm2/multicluster-operators-channel-rhel8@sha256:d4919beefa2863ced9679a735423507834dfa81cf09a253a0420346882aef0cb_amd64 |
| Red Hat | rhacm2/console-rhel8@sha256:cf4a1a2f9499d853cca37fe9753dfc6a8f0d763af20a04d18ccb5b7a14d1e8d4_amd64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.9 for RHEL 8 | rhacm2/console-rhel8@sha256:cf4a1a2f9499d853cca37fe9753dfc6a8f0d763af20a04d18ccb5b7a14d1e8d4_amd64 |
| Red Hat | rhacm2/search-collector-rhel8@sha256:977b9eef9b95250fa068a0060d2ccd132981f8582c0323e2b471a94951820c0b_s390x as a component of Red Hat Advanced Cluster Management for Kubernetes 2.9 for RHEL 8 | rhacm2/search-collector-rhel8@sha256:977b9eef9b95250fa068a0060d2ccd132981f8582c0323e2b471a94951820c0b_s390x |
…and 330 more
Timeline
- Jan 22, 2025 CVE Published
- Apr 25, 2026 Distribution Patch
- Apr 25, 2026 Distribution Patch
- Apr 25, 2026 Security Advisory
- Apr 25, 2026 Security Advisory
- Apr 25, 2026 Security Advisory
- May 15, 2026 CVE Updated
References
- https://access.redhat.com/errata/RHSA-2025:0576 advisory
- https://access.redhat.com/security/updates/classification/#important advisory
- https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.8/html/release_notes/ advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2331720 issue
- https://bugzilla.redhat.com/show_bug.cgi?id=2333122 issue
- https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_0576.json advisory
- https://access.redhat.com/security/cve/CVE-2024-45337 advisory
- https://www.cve.org/CVERecord?id=CVE-2024-45337 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2024-45337 advisory
- https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909 advisory
- https://go.dev/cl/635315 advisory
- https://go.dev/issue/70779 advisory
- https://groups.google.com/g/golang-announce/c/-nPEi39gI4Q/m/cGVPJCqdAQAJ advisory
- https://pkg.go.dev/vuln/GO-2024-3321 advisory
- https://access.redhat.com/security/cve/CVE-2024-45338 advisory
- https://www.cve.org/CVERecord?id=CVE-2024-45338 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2024-45338 advisory
- https://go.dev/cl/637536 advisory
- https://go.dev/issue/70906 advisory
- https://groups.google.com/g/golang-announce/c/wSCRmFnNmPA/m/Lvcd0mRMAwAJ advisory
…and 1 more