VDB

RHSA-2025%3A1287

RHSA-2025%3A1287 PUBLISHED CVSS 8.199999809265137 HIGH

A flaw was found in the x/crypto/ssh go library. Applications and libraries that misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. For example, an attacker may send public keys A and B and authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B, for which the attacker does not control the private key. The misuse of ServerConfig.PublicKeyCallback may cause an authorization bypass.

Risk Scores

CVSS 3.1
8.199999809265137
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N

Affected Products

VendorProductVersions
Red Hatregistry.redhat.io/rhtas/cosign-rhel9@sha256:1b30a7cc28abce4b5e1a3aff84dafbdaa66ac7ff6c9f494aeedf71aaf243ce53_amd64 as a component of Red Hat Trusted Artifact Signer 1.1registry.redhat.io/rhtas/cosign-rhel9@sha256:1b30a7cc28abce4b5e1a3aff84dafbdaa66ac7ff6c9f494aeedf71aaf243ce53_amd64
Red Hatregistry.redhat.io/rhtas/cosign-rhel9@sha256:1b30a7cc28abce4b5e1a3aff84dafbdaa66ac7ff6c9f494aeedf71aaf243ce53_amd64 as a component of Red Hat Trusted Artifact Signer 1.1registry.redhat.io/rhtas/cosign-rhel9@sha256:1b30a7cc28abce4b5e1a3aff84dafbdaa66ac7ff6c9f494aeedf71aaf243ce53_amd64
Red Hatregistry.redhat.io/rhtas/client-server-rhel9@sha256:698ee5b504c25801d194435e19e31b10421118f7a91605077a290b0916401b10_amd64 as a component of Red Hat Trusted Artifact Signer 1.1registry.redhat.io/rhtas/client-server-rhel9@sha256:698ee5b504c25801d194435e19e31b10421118f7a91605077a290b0916401b10_amd64
Red Hatregistry.redhat.io/rhtas/gitsign-rhel9@sha256:4d5d374593bb41777884d24137b201a783040201ca056fad5503990febdd57a4_amd64 as a component of Red Hat Trusted Artifact Signer 1.1registry.redhat.io/rhtas/gitsign-rhel9@sha256:4d5d374593bb41777884d24137b201a783040201ca056fad5503990febdd57a4_amd64
Red Hatregistry.redhat.io/rhtas/gitsign-rhel9@sha256:4d5d374593bb41777884d24137b201a783040201ca056fad5503990febdd57a4_amd64 as a component of Red Hat Trusted Artifact Signer 1.1*
Red Hatregistry.redhat.io/rhtas/client-server-rhel9@sha256:698ee5b504c25801d194435e19e31b10421118f7a91605077a290b0916401b10_amd64 as a component of Red Hat Trusted Artifact Signer 1.1registry.redhat.io/rhtas/client-server-rhel9@sha256:698ee5b504c25801d194435e19e31b10421118f7a91605077a290b0916401b10_amd64

Timeline

  • Feb 11, 2025 CVE Published
  • Apr 25, 2026 Distribution Patch
  • Apr 25, 2026 Distribution Patch
  • Apr 25, 2026 Security Advisory
  • Apr 25, 2026 Security Advisory
  • Apr 30, 2026 CVE Updated
Open in Interactive Console →
$ Console Community · 100/wk Open console ›