VDB
RHSA-2025%3A1848
RHSA-2025%3A1848
PUBLISHED
CVSS 8.199999809265137 HIGH
A flaw was found in the x/crypto/ssh go library. Applications and libraries that misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. For example, an attacker may send public keys A and B and authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B, for which the attacker does not control the private key. The misuse of ServerConfig.PublicKeyCallback may cause an authorization bypass.
Risk Scores
CVSS 3.1
8.199999809265137
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Red Hat | registry.redhat.io/rhtas/gitsign-rhel9@sha256:7a4a1a6a0ad0bb4e8358e5b2a8858ed5919dd1050b620af73d6293ccabe0d236_amd64 as a component of Red Hat Trusted Artifact Signer 1.1 | registry.redhat.io/rhtas/gitsign-rhel9@sha256:7a4a1a6a0ad0bb4e8358e5b2a8858ed5919dd1050b620af73d6293ccabe0d236_amd64 |
| Red Hat | registry.redhat.io/rhtas/cosign-rhel9@sha256:3cd261cd4fed03688c6fd3c6161ae1ec69e908bbb6593ec279415414c7422535_amd64 as a component of Red Hat Trusted Artifact Signer 1.1 | registry.redhat.io/rhtas/cosign-rhel9@sha256:3cd261cd4fed03688c6fd3c6161ae1ec69e908bbb6593ec279415414c7422535_amd64 |
| Red Hat | registry.redhat.io/rhtas/client-server-rhel9@sha256:ce30450e9e3aee7368bd9ba7f756d7af0f7c0e052cd57951256adaa9c78fb562_amd64 as a component of Red Hat Trusted Artifact Signer 1.1 | registry.redhat.io/rhtas/client-server-rhel9@sha256:ce30450e9e3aee7368bd9ba7f756d7af0f7c0e052cd57951256adaa9c78fb562_amd64 |
| Red Hat | registry.redhat.io/rhtas/cosign-rhel9@sha256:3cd261cd4fed03688c6fd3c6161ae1ec69e908bbb6593ec279415414c7422535_amd64 as a component of Red Hat Trusted Artifact Signer 1.1 | registry.redhat.io/rhtas/cosign-rhel9@sha256:3cd261cd4fed03688c6fd3c6161ae1ec69e908bbb6593ec279415414c7422535_amd64 |
| Red Hat | registry.redhat.io/rhtas/client-server-rhel9@sha256:ce30450e9e3aee7368bd9ba7f756d7af0f7c0e052cd57951256adaa9c78fb562_amd64 as a component of Red Hat Trusted Artifact Signer 1.1 | registry.redhat.io/rhtas/client-server-rhel9@sha256:ce30450e9e3aee7368bd9ba7f756d7af0f7c0e052cd57951256adaa9c78fb562_amd64 |
| Red Hat | registry.redhat.io/rhtas/gitsign-rhel9@sha256:7a4a1a6a0ad0bb4e8358e5b2a8858ed5919dd1050b620af73d6293ccabe0d236_amd64 as a component of Red Hat Trusted Artifact Signer 1.1 | * |
Timeline
- Feb 25, 2025 CVE Published
- Apr 25, 2026 Distribution Patch
- Apr 25, 2026 Distribution Patch
- Apr 25, 2026 Security Advisory
- Apr 25, 2026 Security Advisory
- Apr 30, 2026 CVE Updated
References
- https://access.redhat.com/errata/RHSA-2025:1848 advisory
- https://access.redhat.com/documentation/en-us/red_hat_trusted_artifact_signer/1.1 advisory
- https://access.redhat.com/documentation/en-us/red_hat_trusted_artifact_signer/1.1/html-single/release_notes/index advisory
- https://access.redhat.com/security/cve/CVE-2024-45337 advisory
- https://access.redhat.com/security/updates/classification/ advisory
- https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_1848.json advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2331720 issue
- https://www.cve.org/CVERecord?id=CVE-2024-45337 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2024-45337 advisory
- https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909 advisory
- https://go.dev/cl/635315 advisory
- https://go.dev/issue/70779 advisory
- https://groups.google.com/g/golang-announce/c/-nPEi39gI4Q/m/cGVPJCqdAQAJ advisory
- https://pkg.go.dev/vuln/GO-2024-3321 advisory