VDB
RHSA-2025%3A0785
RHSA-2025%3A0785
PUBLISHED
CVSS 8.199999809265137 HIGH
A flaw was found in the x/crypto/ssh go library. Applications and libraries that misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. For example, an attacker may send public keys A and B and authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B, for which the attacker does not control the private key. The misuse of ServerConfig.PublicKeyCallback may cause an authorization bypass.
Risk Scores
CVSS 3.1
8.199999809265137
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Red Hat | rhacm2/acm-prometheus-config-reloader-rhel9@sha256:c03eabdc86dc0ef176621d3f6689916cb6f2acfe7a5c12fd6fefe7fe8a1d3419_ppc64le as a component of Red Hat Advanced Cluster Management for Kubernetes 2.11 for RHEL 9 | *, *, rhacm2/acm-prometheus-config-reloader-rhel9@sha256:c03eabdc86dc0ef176621d3f6689916cb6f2acfe7a5c12fd6fefe7fe8a1d3419_ppc64le |
| Red Hat | rhacm2/acm-must-gather-rhel9@sha256:31edb4366444fa7ff16aa3720659ed919aa7f11bd9a8e82581ed049bb96bdca7_amd64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.11 for RHEL 9 | rhacm2/acm-must-gather-rhel9@sha256:31edb4366444fa7ff16aa3720659ed919aa7f11bd9a8e82581ed049bb96bdca7_amd64 |
| Red Hat | rhacm2/grafana-dashboard-loader-rhel9@sha256:e46b3434bd82c62c8d9057350efaf780260d224cd305a9a9a986642df1685e4b_arm64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.11 for RHEL 9 | rhacm2/grafana-dashboard-loader-rhel9@sha256:e46b3434bd82c62c8d9057350efaf780260d224cd305a9a9a986642df1685e4b_arm64 |
| Red Hat | rhacm2/memcached-rhel9@sha256:795976a1955dbda21269f1861047e8ba0ecb1ec261e7b4afb8244c9615e56d3a_ppc64le as a component of Red Hat Advanced Cluster Management for Kubernetes 2.11 for RHEL 9 | * |
| Red Hat | rhacm2/acm-must-gather-rhel9@sha256:7fc6a6826ed0a25c389314d2e8216eea2ae941c869b311683600e482b302d403_ppc64le as a component of Red Hat Advanced Cluster Management for Kubernetes 2.11 for RHEL 9 | rhacm2/acm-must-gather-rhel9@sha256:7fc6a6826ed0a25c389314d2e8216eea2ae941c869b311683600e482b302d403_ppc64le |
| Red Hat | rhacm2/multicluster-operators-application-rhel9@sha256:6d9e7efd91ca557edc6d4da667c262431b488524759c4a06728a3dd39e4bb855_s390x as a component of Red Hat Advanced Cluster Management for Kubernetes 2.11 for RHEL 9 | rhacm2/multicluster-operators-application-rhel9@sha256:6d9e7efd91ca557edc6d4da667c262431b488524759c4a06728a3dd39e4bb855_s390x, *, * |
| Red Hat | rhacm2/kube-rbac-proxy-rhel9@sha256:29ab4b7f875e41e7290554495af087fff0ea084cf261d4779fada8839beed3c4_amd64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.11 for RHEL 9 | rhacm2/kube-rbac-proxy-rhel9@sha256:29ab4b7f875e41e7290554495af087fff0ea084cf261d4779fada8839beed3c4_amd64 |
| Red Hat | rhacm2/insights-metrics-rhel9@sha256:c8ea2981c6b80442b961c3d7753c9e5c9bd1fd262cdde5f3b6bb0bd9888d589a_ppc64le as a component of Red Hat Advanced Cluster Management for Kubernetes 2.11 for RHEL 9 | *, rhacm2/insights-metrics-rhel9@sha256:c8ea2981c6b80442b961c3d7753c9e5c9bd1fd262cdde5f3b6bb0bd9888d589a_ppc64le, * |
| Red Hat | rhacm2/acm-cluster-permission-rhel9@sha256:9353b92e5b64f6b81e306bdef39aa596458d4d20477bbf3e693bcbf7865a053c_s390x as a component of Red Hat Advanced Cluster Management for Kubernetes 2.11 for RHEL 9 | * |
| Red Hat | rhacm2/multicluster-operators-application-rhel9@sha256:852861ddefee77b904acf4e1e754a9786a7fba95063fc3ddbb3543094791c47c_amd64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.11 for RHEL 9 | * |
| Red Hat | rhacm2/endpoint-monitoring-rhel9-operator@sha256:c5bcdf7027f218e2223f5781df34d13745ce24fadc424df32144b668fe230e0a_ppc64le as a component of Red Hat Advanced Cluster Management for Kubernetes 2.11 for RHEL 9 | rhacm2/endpoint-monitoring-rhel9-operator@sha256:c5bcdf7027f218e2223f5781df34d13745ce24fadc424df32144b668fe230e0a_ppc64le |
| Red Hat | rhacm2/kube-state-metrics-rhel9@sha256:4c3ec04ab48e43adddf68deb838a60fc5114bc28788ca286c957bbc6fcdd648b_s390x as a component of Red Hat Advanced Cluster Management for Kubernetes 2.11 for RHEL 9 | rhacm2/kube-state-metrics-rhel9@sha256:4c3ec04ab48e43adddf68deb838a60fc5114bc28788ca286c957bbc6fcdd648b_s390x |
| Red Hat | rhacm2/acm-search-indexer-rhel9@sha256:cf656ad08dc6984d1508710e4f7d7bea29f40ff7c2be3affbadd1444d1a5f563_amd64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.11 for RHEL 9 | *, *, rhacm2/acm-search-indexer-rhel9@sha256:cf656ad08dc6984d1508710e4f7d7bea29f40ff7c2be3affbadd1444d1a5f563_amd64 |
| Red Hat | rhacm2/observatorium-rhel9@sha256:83bf9ce299723b7f6ab8c2e935f46160ec4f2b0670eed05e46e1d1683b0e5c03_arm64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.11 for RHEL 9 | *, *, * |
| Red Hat | rhacm2/acm-governance-policy-addon-controller-rhel9@sha256:a7dd9de580b3b17b63155cd002041f0d575006a1f68396bcbc573e73f969f8eb_arm64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.11 for RHEL 9 | rhacm2/acm-governance-policy-addon-controller-rhel9@sha256:a7dd9de580b3b17b63155cd002041f0d575006a1f68396bcbc573e73f969f8eb_arm64, *, * |
| Red Hat | rhacm2/grafana-dashboard-loader-rhel9@sha256:35f5c18ec926d186d9b7510bb35843a22ce46c1ad150b3562a5333065c028f1c_s390x as a component of Red Hat Advanced Cluster Management for Kubernetes 2.11 for RHEL 9 | *, rhacm2/grafana-dashboard-loader-rhel9@sha256:35f5c18ec926d186d9b7510bb35843a22ce46c1ad150b3562a5333065c028f1c_s390x, * |
| Red Hat | rhacm2/cluster-backup-rhel9-operator@sha256:4ef142441f63ddeec6ad2f4d76f0c8fbee68724e980633b369edb55a80192fda_s390x as a component of Red Hat Advanced Cluster Management for Kubernetes 2.11 for RHEL 9 | *, rhacm2/cluster-backup-rhel9-operator@sha256:4ef142441f63ddeec6ad2f4d76f0c8fbee68724e980633b369edb55a80192fda_s390x, * |
| Red Hat | rhacm2/acm-prometheus-rhel9@sha256:8ac13d8cfcabca8f9a891bd556c24996f75a352e1003e1bca8793fec719b18f8_s390x as a component of Red Hat Advanced Cluster Management for Kubernetes 2.11 for RHEL 9 | *, *, rhacm2/acm-prometheus-rhel9@sha256:8ac13d8cfcabca8f9a891bd556c24996f75a352e1003e1bca8793fec719b18f8_s390x |
| Red Hat | rhacm2/klusterlet-addon-controller-rhel9@sha256:36abc6d1d77a0dffd811132068c539ff73df9f3d6d4d1f4d8d843c2d05508c13_arm64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.11 for RHEL 9 | rhacm2/klusterlet-addon-controller-rhel9@sha256:36abc6d1d77a0dffd811132068c539ff73df9f3d6d4d1f4d8d843c2d05508c13_arm64 |
| Red Hat | rhacm2/multicluster-operators-channel-rhel9@sha256:2e54047e74e40829215a514bc7e006b13f65946af084d9ecc514866f93280f0c_amd64 as a component of Red Hat Advanced Cluster Management for Kubernetes 2.11 for RHEL 9 | rhacm2/multicluster-operators-channel-rhel9@sha256:2e54047e74e40829215a514bc7e006b13f65946af084d9ecc514866f93280f0c_amd64 |
…and 323 more
Timeline
- Jan 28, 2025 CVE Published
- Apr 25, 2026 Distribution Patch
- Apr 25, 2026 Distribution Patch
- Apr 25, 2026 Security Advisory
- Apr 25, 2026 Security Advisory
- Apr 25, 2026 Security Advisory
- Apr 25, 2026 Security Advisory
- Jul 5, 2026 CVE Updated
References
- https://access.redhat.com/errata/RHSA-2025:0785 advisory
- https://access.redhat.com/security/updates/classification/#important advisory
- https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.6/html/release_notes/ advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2331063 issue
- https://bugzilla.redhat.com/show_bug.cgi?id=2331720 issue
- https://bugzilla.redhat.com/show_bug.cgi?id=2333122 issue
- https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_0785.json advisory
- https://access.redhat.com/security/cve/CVE-2024-45337 advisory
- https://www.cve.org/CVERecord?id=CVE-2024-45337 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2024-45337 advisory
- https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909 advisory
- https://go.dev/cl/635315 advisory
- https://go.dev/issue/70779 advisory
- https://groups.google.com/g/golang-announce/c/-nPEi39gI4Q/m/cGVPJCqdAQAJ advisory
- https://pkg.go.dev/vuln/GO-2024-3321 advisory
- https://access.redhat.com/security/cve/CVE-2024-45338 advisory
- https://www.cve.org/CVERecord?id=CVE-2024-45338 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2024-45338 advisory
- https://go.dev/cl/637536 advisory
- https://go.dev/issue/70906 advisory
…and 8 more