VDB
RHSA-2025%3A0679
RHSA-2025%3A0679
PUBLISHED
CVSS 8.199999809265137 HIGH
A flaw was found in the x/crypto/ssh go library. Applications and libraries that misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. For example, an attacker may send public keys A and B and authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B, for which the attacker does not control the private key. The misuse of ServerConfig.PublicKeyCallback may cause an authorization bypass.
Risk Scores
CVSS 3.1
8.199999809265137
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Red Hat | rhacm2/memcached-rhel9@sha256:03dd46b41e3c554c31e88f25f0d8e59667a95feb0aed3e51fb7f6a63df1a3846_arm64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.10 for RHEL 9 | * |
| Red Hat | rhacm2/cert-policy-controller-rhel9@sha256:2c236459011105abf56c5d1dd3544d62732edf50e5b19c1aeed0dd57267dc443_ppc64le as a component of Red Hat Advanced Cluster Management for Kubernetes 2.10 for RHEL 9 | *, rhacm2/cert-policy-controller-rhel9@sha256:2c236459011105abf56c5d1dd3544d62732edf50e5b19c1aeed0dd57267dc443_ppc64le, * |
| Red Hat | rhacm2/acm-volsync-addon-controller-rhel9@sha256:bc49a183a5aec1388d0a594620e6d68b8ae98efb8666a8add4ffb05fd4bd2375_arm64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.10 for RHEL 9 | *, rhacm2/acm-volsync-addon-controller-rhel9@sha256:bc49a183a5aec1388d0a594620e6d68b8ae98efb8666a8add4ffb05fd4bd2375_arm64, * |
| Red Hat | rhacm2/acm-search-indexer-rhel9@sha256:cd64dd117a7893fd23144decf7bb63b9c59310366971f7d8c82998c635816ee5_amd64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.10 for RHEL 9 | *, rhacm2/acm-search-indexer-rhel9@sha256:cd64dd117a7893fd23144decf7bb63b9c59310366971f7d8c82998c635816ee5_amd64, * |
| Red Hat | rhacm2/thanos-receive-controller-rhel9@sha256:7fdb7c93d7eb7c697c473f906a8184ae3be00856e1e05d9d6759039000dc27ad_s390x as a component of Red Hat Advanced Cluster Management for Kubernetes 2.10 for RHEL 9 | rhacm2/thanos-receive-controller-rhel9@sha256:7fdb7c93d7eb7c697c473f906a8184ae3be00856e1e05d9d6759039000dc27ad_s390x |
| Red Hat | rhacm2/acm-prometheus-rhel9@sha256:4baef2d8d53003c7210f320f682d1691705a9ab7db57a84deb799946c427659c_s390x as a component of Red Hat Advanced Cluster Management for Kubernetes 2.10 for RHEL 9 | rhacm2/acm-prometheus-rhel9@sha256:4baef2d8d53003c7210f320f682d1691705a9ab7db57a84deb799946c427659c_s390x |
| Red Hat | rhacm2/multicluster-operators-channel-rhel9@sha256:1ebf3658acfa979d5805889f7e184e96164459f62345c5f633e24770af3f5d43_arm64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.10 for RHEL 9 | rhacm2/multicluster-operators-channel-rhel9@sha256:1ebf3658acfa979d5805889f7e184e96164459f62345c5f633e24770af3f5d43_arm64, *, * |
| Red Hat | rhacm2/node-exporter-rhel9@sha256:dfb5e46dc0f8fa75045a18c39b6798c55d32f92a04ff2b91b589e817bcd4e3a4_amd64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.10 for RHEL 9 | *, rhacm2/node-exporter-rhel9@sha256:dfb5e46dc0f8fa75045a18c39b6798c55d32f92a04ff2b91b589e817bcd4e3a4_amd64, * |
| Red Hat | rhacm2/multicluster-observability-rhel9-operator@sha256:8bf7dc38a4b5f3496ea0277cc4cbf3283b4469d2db48626df6dbaa1bbeceffa1_amd64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.10 for RHEL 9 | *, rhacm2/multicluster-observability-rhel9-operator@sha256:8bf7dc38a4b5f3496ea0277cc4cbf3283b4469d2db48626df6dbaa1bbeceffa1_amd64, * |
| Red Hat | rhacm2/prometheus-rhel9@sha256:f28ebb6128d8b2f465daf23a63c12e3e2f87b5fefe7ebd1fb336843739fbeb2c_s390x as a component of Red Hat Advanced Cluster Management for Kubernetes 2.10 for RHEL 9 | rhacm2/prometheus-rhel9@sha256:f28ebb6128d8b2f465daf23a63c12e3e2f87b5fefe7ebd1fb336843739fbeb2c_s390x |
| Red Hat | rhacm2/observatorium-rhel9@sha256:14e276ffe12a20cb230da064bb0b13049817cb10ae094cca8931a0c48e179e49_amd64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.10 for RHEL 9 | rhacm2/observatorium-rhel9@sha256:14e276ffe12a20cb230da064bb0b13049817cb10ae094cca8931a0c48e179e49_amd64 |
| Red Hat | rhacm2/prometheus-alertmanager-rhel9@sha256:a444ced72e5f297664557134ef4ee1be03d626e3b00f472dbdc03952090f2204_arm64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.10 for RHEL 9 | rhacm2/prometheus-alertmanager-rhel9@sha256:a444ced72e5f297664557134ef4ee1be03d626e3b00f472dbdc03952090f2204_arm64 |
| Red Hat | rhacm2/multicluster-operators-application-rhel9@sha256:bf95f2dfcac9173ee0da59ef9f8d4d9ef775b5a1f63052e8e1d0ff7fc70beb12_amd64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.10 for RHEL 9 | rhacm2/multicluster-operators-application-rhel9@sha256:bf95f2dfcac9173ee0da59ef9f8d4d9ef775b5a1f63052e8e1d0ff7fc70beb12_amd64 |
| Red Hat | rhacm2/multicluster-operators-subscription-rhel9@sha256:5903d41d5636fa45376768c319ada56456afbbef24e68a432f440fb4bf04b0d5_ppc64le as a component of Red Hat Advanced Cluster Management for Kubernetes 2.10 for RHEL 9 | rhacm2/multicluster-operators-subscription-rhel9@sha256:5903d41d5636fa45376768c319ada56456afbbef24e68a432f440fb4bf04b0d5_ppc64le |
| Red Hat | rhacm2/iam-policy-controller-rhel9@sha256:1008a71fe880bf21fd22fb8a27effbde48ed27b03de16bc2c735c83bf89c484b_ppc64le as a component of Red Hat Advanced Cluster Management for Kubernetes 2.10 for RHEL 9 | *, *, rhacm2/iam-policy-controller-rhel9@sha256:1008a71fe880bf21fd22fb8a27effbde48ed27b03de16bc2c735c83bf89c484b_ppc64le |
| Red Hat | rhacm2/search-collector-rhel9@sha256:38cfda04ec60b72a80a5788ed1308968b660aa93be4b54f06dc7e940a0675703_arm64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.10 for RHEL 9 | rhacm2/search-collector-rhel9@sha256:38cfda04ec60b72a80a5788ed1308968b660aa93be4b54f06dc7e940a0675703_arm64, *, * |
| Red Hat | rhacm2/observatorium-rhel9-operator@sha256:eeec53b5cca941c47dbaba316df7702e15f7c51d41268d07de164c833df20374_amd64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.10 for RHEL 9 | *, *, rhacm2/observatorium-rhel9-operator@sha256:eeec53b5cca941c47dbaba316df7702e15f7c51d41268d07de164c833df20374_amd64 |
| Red Hat | rhacm2/memcached-rhel9@sha256:849478da06a8d04c7a2cfc8b6649c575d1614e94e8b6f029c2faebe7a6dbaab2_ppc64le as a component of Red Hat Advanced Cluster Management for Kubernetes 2.10 for RHEL 9 | *, *, * |
| Red Hat | rhacm2/memcached-exporter-rhel9@sha256:7701fab18c1c0ff5ffd0d19a7e101f8a1c81c8125a537624bfd351551a37ba91_ppc64le as a component of Red Hat Advanced Cluster Management for Kubernetes 2.10 for RHEL 9 | rhacm2/memcached-exporter-rhel9@sha256:7701fab18c1c0ff5ffd0d19a7e101f8a1c81c8125a537624bfd351551a37ba91_ppc64le |
| Red Hat | rhacm2/observatorium-rhel9-operator@sha256:049e66ba33b8646031befe8cbdb4380539e4284442c97e10ecb0f24701684b87_arm64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.10 for RHEL 9 | rhacm2/observatorium-rhel9-operator@sha256:049e66ba33b8646031befe8cbdb4380539e4284442c97e10ecb0f24701684b87_arm64 |
…and 332 more
Timeline
- Jan 23, 2025 CVE Published
- Apr 25, 2026 Distribution Patch
- Apr 25, 2026 Distribution Patch
- Apr 25, 2026 Security Advisory
- Apr 25, 2026 Security Advisory
- Apr 25, 2026 Security Advisory
- Jul 5, 2026 CVE Updated
References
- https://access.redhat.com/errata/RHSA-2025:0679 advisory
- https://access.redhat.com/security/updates/classification/#important advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2331720 issue
- https://bugzilla.redhat.com/show_bug.cgi?id=2333122 issue
- https://issues.redhat.com/browse/ACM-13736 advisory
- https://issues.redhat.com/browse/ACM-14483 advisory
- https://issues.redhat.com/browse/ACM-14586 advisory
- https://issues.redhat.com/browse/ACM-14601 advisory
- https://issues.redhat.com/browse/ACM-14627 advisory
- https://issues.redhat.com/browse/ACM-16330 advisory
- https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_0679.json advisory
- https://access.redhat.com/security/cve/CVE-2024-45337 advisory
- https://www.cve.org/CVERecord?id=CVE-2024-45337 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2024-45337 advisory
- https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909 advisory
- https://go.dev/cl/635315 advisory
- https://go.dev/issue/70779 advisory
- https://groups.google.com/g/golang-announce/c/-nPEi39gI4Q/m/cGVPJCqdAQAJ advisory
- https://pkg.go.dev/vuln/GO-2024-3321 advisory
- https://access.redhat.com/security/cve/CVE-2024-45338 advisory
…and 6 more