VDB
RHSA-2025%3A0723
RHSA-2025%3A0723
PUBLISHED
CVSS 8.199999809265137 HIGH
A flaw was found in the x/crypto/ssh go library. Applications and libraries that misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. For example, an attacker may send public keys A and B and authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B, for which the attacker does not control the private key. The misuse of ServerConfig.PublicKeyCallback may cause an authorization bypass.
Risk Scores
CVSS 3.1
8.199999809265137
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Red Hat | multicluster-engine/registration-rhel9@sha256:beedcd670e831b0dbb8aa708e38cfe40bb5ab0b76484e066e2d58f9fc3edc72c_ppc64le as a component of multicluster engine for Kubernetes 2.7 for RHEL 9 | multicluster-engine/registration-rhel9@sha256:beedcd670e831b0dbb8aa708e38cfe40bb5ab0b76484e066e2d58f9fc3edc72c_ppc64le |
| Red Hat | multicluster-engine/multicloud-manager-rhel9@sha256:31453ac273c660a753c4189c8327be4bf331e61a5ef6f906031a39f7a1f6e745_ppc64le as a component of multicluster engine for Kubernetes 2.7 for RHEL 9 | multicluster-engine/multicloud-manager-rhel9@sha256:31453ac273c660a753c4189c8327be4bf331e61a5ef6f906031a39f7a1f6e745_ppc64le |
| Red Hat | multicluster-engine/placement-rhel9@sha256:ab391e1119fe21fb4277ba52e01603de2f71532f5ee06cc25086aa3c4b50bb31_ppc64le as a component of multicluster engine for Kubernetes 2.7 for RHEL 9 | multicluster-engine/placement-rhel9@sha256:ab391e1119fe21fb4277ba52e01603de2f71532f5ee06cc25086aa3c4b50bb31_ppc64le |
| Red Hat | multicluster-engine/hypershift-cli-rhel9@sha256:11cfe3a7ce1ab298c742406e93abf6a902533bd3bd323be2ead144e0364bbb2e_amd64 as a component of multicluster engine for Kubernetes 2.7 for RHEL 9 | multicluster-engine/hypershift-cli-rhel9@sha256:11cfe3a7ce1ab298c742406e93abf6a902533bd3bd323be2ead144e0364bbb2e_amd64 |
| Red Hat | multicluster-engine/hypershift-rhel9-operator@sha256:5a843c612a4d4017f5f1bfe338db35c32763680f2b2954e2ac565e9e353cc594_arm64 as a component of multicluster engine for Kubernetes 2.7 for RHEL 9 | * |
| Red Hat | multicluster-engine/cluster-api-rhel9@sha256:3eb8eaf9fd740e9d5e07ae6ae88525f1073750c3ca3516a8b39e080de2a97ad9_amd64 as a component of multicluster engine for Kubernetes 2.7 for RHEL 9 | * |
| Red Hat | multicluster-engine/work-rhel9@sha256:06d5c6b16ec5ed40ecd8c41eb64ff346bcd728518c13e3db9969c5f5ad3bc18c_amd64 as a component of multicluster engine for Kubernetes 2.7 for RHEL 9 | multicluster-engine/work-rhel9@sha256:06d5c6b16ec5ed40ecd8c41eb64ff346bcd728518c13e3db9969c5f5ad3bc18c_amd64 |
| Red Hat | multicluster-engine/discovery-rhel9@sha256:b158b4072ab6726d10cc0dc6d104a459100b415f7f0ce5bb2f665b8f69cb26f7_amd64 as a component of multicluster engine for Kubernetes 2.7 for RHEL 9 | multicluster-engine/discovery-rhel9@sha256:b158b4072ab6726d10cc0dc6d104a459100b415f7f0ce5bb2f665b8f69cb26f7_amd64 |
| Red Hat | multicluster-engine/backplane-rhel9-operator@sha256:5e843151a803c27a33e96e679b63c74ff9fcfc45bf4c50728812f624dde4dd21_ppc64le as a component of multicluster engine for Kubernetes 2.7 for RHEL 9 | multicluster-engine/backplane-rhel9-operator@sha256:5e843151a803c27a33e96e679b63c74ff9fcfc45bf4c50728812f624dde4dd21_ppc64le |
| Red Hat | multicluster-engine/assisted-service-8-rhel8@sha256:f3bc75d2b866b7ac520d4ffbd94f629a2fb053a94408444599eb224d2ddf157c_arm64 as a component of multicluster engine for Kubernetes 2.7 for RHEL 8 | multicluster-engine/assisted-service-8-rhel8@sha256:f3bc75d2b866b7ac520d4ffbd94f629a2fb053a94408444599eb224d2ddf157c_arm64 |
| Red Hat | multicluster-engine/kube-rbac-proxy-mce-rhel9@sha256:6af431b3579a1de16d433018627bd5dd607a65a5d1e4caf6e3377648c0e12f91_ppc64le as a component of multicluster engine for Kubernetes 2.7 for RHEL 9 | multicluster-engine/kube-rbac-proxy-mce-rhel9@sha256:6af431b3579a1de16d433018627bd5dd607a65a5d1e4caf6e3377648c0e12f91_ppc64le |
| Red Hat | multicluster-engine/work-rhel9@sha256:38c9644bbca18c2862cdb8a5af59fc38c6d80ef92a6692f816638c10ff70be6d_s390x as a component of multicluster engine for Kubernetes 2.7 for RHEL 9 | multicluster-engine/work-rhel9@sha256:38c9644bbca18c2862cdb8a5af59fc38c6d80ef92a6692f816638c10ff70be6d_s390x |
| Red Hat | multicluster-engine/backplane-rhel9-operator@sha256:1ab51e62d1271ee21e4d14da38e976d01928b78d46d17a6fd35686482d59ebba_arm64 as a component of multicluster engine for Kubernetes 2.7 for RHEL 9 | multicluster-engine/backplane-rhel9-operator@sha256:1ab51e62d1271ee21e4d14da38e976d01928b78d46d17a6fd35686482d59ebba_arm64 |
| Red Hat | multicluster-engine/must-gather-rhel9@sha256:50e26bffd7650e46009599b0ab57f09c61e001d868f6503e8e25649d73a71d3c_amd64 as a component of multicluster engine for Kubernetes 2.7 for RHEL 9 | multicluster-engine/must-gather-rhel9@sha256:50e26bffd7650e46009599b0ab57f09c61e001d868f6503e8e25649d73a71d3c_amd64 |
| Red Hat | multicluster-engine/hypershift-rhel9-operator@sha256:5df8204916470f87434e34f717f7c287faf7480c83afae9b3a22ec20c1b51ce3_ppc64le as a component of multicluster engine for Kubernetes 2.7 for RHEL 9 | multicluster-engine/hypershift-rhel9-operator@sha256:5df8204916470f87434e34f717f7c287faf7480c83afae9b3a22ec20c1b51ce3_ppc64le |
| Red Hat | multicluster-engine/addon-manager-rhel9@sha256:a08779ba332c38f73867219b082f857b60350f84d2877cc82b843e176cbbdeda_arm64 as a component of multicluster engine for Kubernetes 2.7 for RHEL 9 | multicluster-engine/addon-manager-rhel9@sha256:a08779ba332c38f73867219b082f857b60350f84d2877cc82b843e176cbbdeda_arm64 |
| Red Hat | multicluster-engine/console-mce-rhel9@sha256:958dc6a9652ab6ba6244ef1aa1096508532f6ef46907b249df9292d12b7c64bc_ppc64le as a component of multicluster engine for Kubernetes 2.7 for RHEL 9 | * |
| Red Hat | multicluster-engine/hypershift-cli-rhel9@sha256:18404e5d8d367ba3060a138d1568ac2a7cb6f5fd3da85e2bfd3cab47143a83a0_arm64 as a component of multicluster engine for Kubernetes 2.7 for RHEL 9 | * |
| Red Hat | multicluster-engine/cluster-api-provider-agent-rhel9@sha256:9eabc41e0afcad2accdea01d9741cf605532e6171611ecccc24c15b12d3f5720_ppc64le as a component of multicluster engine for Kubernetes 2.7 for RHEL 9 | multicluster-engine/cluster-api-provider-agent-rhel9@sha256:9eabc41e0afcad2accdea01d9741cf605532e6171611ecccc24c15b12d3f5720_ppc64le |
| Red Hat | multicluster-engine/hypershift-rhel9-operator@sha256:5df8204916470f87434e34f717f7c287faf7480c83afae9b3a22ec20c1b51ce3_ppc64le as a component of multicluster engine for Kubernetes 2.7 for RHEL 9 | * |
…and 258 more
Exploit Intelligence
- Proof of Concept for CVE-2024-45337 against Gitea and Forgejo (github-poc-repo)
- Fork of gogs/gogs for reachability benchmark testing (CVE-2024-45337) (github-poc-repo)
- Fork of gogs/gogs for reachability benchmark testing (CVE-2024-45337) (github-poc)
- Proof of Concept for CVE-2024-45337 against Gitea and Forgejo (github-poc)
- An example project that showcases golang code vulnerable to CVE-2024-45337 (github-poc)
- Proof of concept (POC) for CVE-2024-45337 (github-poc)
- .trivyignore.yaml (github-poc)
- DemoReseedInfra.kt (github-poc)
- ssh.go (github-poc)
- cve.pl (github-poc)
…and 3 more exploits
Timeline
- Jan 27, 2025 CVE Published
- Apr 25, 2026 Distribution Patch
- Apr 25, 2026 Distribution Patch
- Apr 25, 2026 Security Advisory
- Apr 25, 2026 Security Advisory
- Apr 25, 2026 Security Advisory
- Apr 30, 2026 CVE Updated
References
- https://access.redhat.com/errata/RHSA-2025:0723 advisory
- https://access.redhat.com/security/updates/classification/#important advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2331063 issue
- https://bugzilla.redhat.com/show_bug.cgi?id=2331720 issue
- https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_0723.json advisory
- https://access.redhat.com/security/cve/CVE-2024-45337 advisory
- https://www.cve.org/CVERecord?id=CVE-2024-45337 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2024-45337 advisory
- https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909 advisory
- https://go.dev/cl/635315 advisory
- https://go.dev/issue/70779 advisory
- https://groups.google.com/g/golang-announce/c/-nPEi39gI4Q/m/cGVPJCqdAQAJ advisory
- https://pkg.go.dev/vuln/GO-2024-3321 advisory
- https://access.redhat.com/security/cve/CVE-2024-55565 advisory
- https://www.cve.org/CVERecord?id=CVE-2024-55565 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2024-55565 advisory
- https://github.com/ai/nanoid/compare/3.3.7...3.3.8 advisory
- https://github.com/ai/nanoid/pull/510 advisory
- https://github.com/ai/nanoid/releases/tag/5.0.9 advisory