VDB
RHSA-2025%3A2933
RHSA-2025%3A2933
PUBLISHED
CVSS 8.199999809265137 HIGH
A flaw was found in the x/crypto/ssh go library. Applications and libraries that misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. For example, an attacker may send public keys A and B and authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B, for which the attacker does not control the private key. The misuse of ServerConfig.PublicKeyCallback may cause an authorization bypass.
Risk Scores
CVSS 3.1
8.199999809265137
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Red Hat | registry.redhat.io/openshift-pipelines/pipelines-cli-tkn-rhel9@sha256:145c1960ffbaed81068376cd28f7b33ee99852faf5413f315e1df496fb194761_s390x as a component of Red Hat OpenShift Pipelines 1.18.0 | *, registry.redhat.io/openshift-pipelines/pipelines-cli-tkn-rhel9@sha256:145c1960ffbaed81068376cd28f7b33ee99852faf5413f315e1df496fb194761_s390x, * |
| Red Hat | registry.redhat.io/openshift-pipelines/pipelines-cli-tkn-rhel9@sha256:771b73b3d77172d48bbf7452e7cc8ae605aec33463aa2e9e02c223e264b44126_arm64 as a component of Red Hat OpenShift Pipelines 1.18.0 | *, *, * |
| Red Hat | registry.redhat.io/openshift-pipelines/pipelines-cli-tkn-rhel9@sha256:0c328a551c4927c815c6e50b9dbd8e77d6c7505f2ec0ee03be16f82bcc228a83_ppc64le as a component of Red Hat OpenShift Pipelines 1.18.0 | registry.redhat.io/openshift-pipelines/pipelines-cli-tkn-rhel9@sha256:0c328a551c4927c815c6e50b9dbd8e77d6c7505f2ec0ee03be16f82bcc228a83_ppc64le, *, * |
| Red Hat | registry.redhat.io/openshift-pipelines/pipelines-cli-tkn-rhel9@sha256:95a138747d0fac4b00a70805dd0b9262ed60aba940db894b90a94db8b786ac44_amd64 | |
| Red Hat | registry.redhat.io/openshift-pipelines/pipelines-cli-tkn-rhel9@sha256:0c328a551c4927c815c6e50b9dbd8e77d6c7505f2ec0ee03be16f82bcc228a83_ppc64le as a component of Red Hat OpenShift Pipelines 1.18.0 | registry.redhat.io/openshift-pipelines/pipelines-cli-tkn-rhel9@sha256:0c328a551c4927c815c6e50b9dbd8e77d6c7505f2ec0ee03be16f82bcc228a83_ppc64le |
| Red Hat | registry.redhat.io/openshift-pipelines/pipelines-cli-tkn-rhel9@sha256:771b73b3d77172d48bbf7452e7cc8ae605aec33463aa2e9e02c223e264b44126_arm64 as a component of Red Hat OpenShift Pipelines 1.18.0 | registry.redhat.io/openshift-pipelines/pipelines-cli-tkn-rhel9@sha256:771b73b3d77172d48bbf7452e7cc8ae605aec33463aa2e9e02c223e264b44126_arm64 |
| Red Hat | registry.redhat.io/openshift-pipelines/pipelines-cli-tkn-rhel9@sha256:95a138747d0fac4b00a70805dd0b9262ed60aba940db894b90a94db8b786ac44_amd64 as a component of Red Hat OpenShift Pipelines 1.18.0 | * |
| Red Hat | registry.redhat.io/openshift-pipelines/pipelines-cli-tkn-rhel9@sha256:145c1960ffbaed81068376cd28f7b33ee99852faf5413f315e1df496fb194761_s390x as a component of Red Hat OpenShift Pipelines 1.18.0 | registry.redhat.io/openshift-pipelines/pipelines-cli-tkn-rhel9@sha256:145c1960ffbaed81068376cd28f7b33ee99852faf5413f315e1df496fb194761_s390x |
| Red Hat | registry.redhat.io/openshift-pipelines/pipelines-cli-tkn-rhel9@sha256:95a138747d0fac4b00a70805dd0b9262ed60aba940db894b90a94db8b786ac44_amd64 as a component of Red Hat OpenShift Pipelines 1.18.0 | *, *, registry.redhat.io/openshift-pipelines/pipelines-cli-tkn-rhel9@sha256:95a138747d0fac4b00a70805dd0b9262ed60aba940db894b90a94db8b786ac44_amd64 |
Timeline
- Mar 17, 2025 CVE Published
- Apr 25, 2026 Distribution Patch
- Apr 25, 2026 Distribution Patch
- Apr 25, 2026 Security Advisory
- Apr 25, 2026 Security Advisory
- Apr 25, 2026 Security Advisory
- Jul 13, 2026 CVE Updated
References
- https://access.redhat.com/errata/RHSA-2025:2933 advisory
- https://docs.redhat.com/en/documentation/red_hat_openshift_pipelines advisory
- https://access.redhat.com/security/cve/CVE-2024-45337 advisory
- https://access.redhat.com/security/cve/CVE-2024-45338 advisory
- https://access.redhat.com/security/updates/classification advisory
- https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_2933.json advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2331720 issue
- https://www.cve.org/CVERecord?id=CVE-2024-45337 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2024-45337 advisory
- https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909 advisory
- https://go.dev/cl/635315 advisory
- https://go.dev/issue/70779 advisory
- https://groups.google.com/g/golang-announce/c/-nPEi39gI4Q/m/cGVPJCqdAQAJ advisory
- https://pkg.go.dev/vuln/GO-2024-3321 advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2333122 issue
- https://www.cve.org/CVERecord?id=CVE-2024-45338 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2024-45338 advisory
- https://go.dev/cl/637536 advisory
- https://go.dev/issue/70906 advisory
- https://groups.google.com/g/golang-announce/c/wSCRmFnNmPA/m/Lvcd0mRMAwAJ advisory
…and 1 more