VDB
RHSA-2025%3A3542
RHSA-2025%3A3542
PUBLISHED
CVSS 8.199999809265137 HIGH
A flaw was found in the x/crypto/ssh go library. Applications and libraries that misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. For example, an attacker may send public keys A and B and authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B, for which the attacker does not control the private key. The misuse of ServerConfig.PublicKeyCallback may cause an authorization bypass.
Risk Scores
CVSS 3.1
8.199999809265137
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Red Hat | odf4/mcg-rhel9-operator@sha256:86347d437ac659fbba7ca5d630f67d6dfaf9b96b24bbe0d74353bcf5dea0c593_arm64 as a component of RHODF 4.15 for RHEL 9 | *, *, * |
| Red Hat | odf4/ocs-client-rhel9-operator@sha256:6d76e5388f91606338eb730c7ab757352ec2c0e163c02222014262d953667810_amd64 as a component of RHODF 4.15 for RHEL 9 | odf4/ocs-client-rhel9-operator@sha256:6d76e5388f91606338eb730c7ab757352ec2c0e163c02222014262d953667810_amd64, *, * |
| Red Hat | odf4/ocs-metrics-exporter-rhel9@sha256:a83fb46285e3e5fb176799edbb7b58f75db44bee6e5bce5009b58d08f742bf5b_s390x as a component of RHODF 4.15 for RHEL 9 | *, *, odf4/ocs-metrics-exporter-rhel9@sha256:a83fb46285e3e5fb176799edbb7b58f75db44bee6e5bce5009b58d08f742bf5b_s390x |
| Red Hat | odf4/odf-multicluster-rhel9-operator@sha256:18cc0feb72e3373314a76d955ee7658f5ebfa2d7626a604a5a71cb0a6d377a99_amd64 as a component of RHODF 4.15 for RHEL 9 | *, odf4/odf-multicluster-rhel9-operator@sha256:18cc0feb72e3373314a76d955ee7658f5ebfa2d7626a604a5a71cb0a6d377a99_amd64, * |
| Red Hat | odf4/ocs-client-operator-bundle@sha256:c81ab813061a01f78cfd4c278f0dfee3c8dc15f04c87d924eae9866adf020309_ppc64le as a component of RHODF 4.15 for RHEL 9 | odf4/ocs-client-operator-bundle@sha256:c81ab813061a01f78cfd4c278f0dfee3c8dc15f04c87d924eae9866adf020309_ppc64le, *, * |
| Red Hat | odf4/odf-rhel9-operator@sha256:d13a6ec8126d862628abdeb4a98f4cb6c177e10856c347d118ec2ce02a550055_arm64 as a component of RHODF 4.15 for RHEL 9 | *, *, * |
| Red Hat | odf4/odf-cosi-sidecar-rhel9@sha256:dd2ca2b97888416c8b80afea093b72448dc86629bb1c639e9678c2c692e0ec39_amd64 as a component of RHODF 4.15 for RHEL 9 | *, odf4/odf-cosi-sidecar-rhel9@sha256:dd2ca2b97888416c8b80afea093b72448dc86629bb1c639e9678c2c692e0ec39_amd64, * |
| Red Hat | odf4/odf-csi-addons-operator-bundle@sha256:7227150cea2a8adcc29e12b3da59587aa1a6c52a32cdd48c41c3a81b613b91cd_amd64 as a component of RHODF 4.15 for RHEL 9 | odf4/odf-csi-addons-operator-bundle@sha256:7227150cea2a8adcc29e12b3da59587aa1a6c52a32cdd48c41c3a81b613b91cd_amd64 |
| Red Hat | odf4/odf-csi-addons-operator-bundle@sha256:450915fa93b94ccbbf053e62df503b53537435a3f41a0c38198f78ea1e94b80b_ppc64le as a component of RHODF 4.15 for RHEL 9 | odf4/odf-csi-addons-operator-bundle@sha256:450915fa93b94ccbbf053e62df503b53537435a3f41a0c38198f78ea1e94b80b_ppc64le |
| Red Hat | odf4/odf-csi-addons-sidecar-rhel9@sha256:869c78d037b918ed96f8288c189dffb3a73a2e056ca210483c7ef98866bbbfb8_s390x as a component of RHODF 4.15 for RHEL 9 | odf4/odf-csi-addons-sidecar-rhel9@sha256:869c78d037b918ed96f8288c189dffb3a73a2e056ca210483c7ef98866bbbfb8_s390x |
| Red Hat | odf4/odf-multicluster-operator-bundle@sha256:5ee30837a0b18143ed4410a879449197df831aa9da3f9e34d984bba54ea4933a_s390x as a component of RHODF 4.15 for RHEL 9 | *, odf4/odf-multicluster-operator-bundle@sha256:5ee30837a0b18143ed4410a879449197df831aa9da3f9e34d984bba54ea4933a_s390x, * |
| Red Hat | odf4/odf-csi-addons-operator-bundle@sha256:f97ff3b4f983ddd30285d8e8c0816b47f93b3e389791363d14d2e912bfc7606b_s390x as a component of RHODF 4.15 for RHEL 9 | odf4/odf-csi-addons-operator-bundle@sha256:f97ff3b4f983ddd30285d8e8c0816b47f93b3e389791363d14d2e912bfc7606b_s390x |
| Red Hat | odf4/odr-cluster-operator-bundle@sha256:1555cb387d9245294fb2a4a769d16850fa81d23c3cd37ae12db1b236958920bd_ppc64le as a component of RHODF 4.15 for RHEL 9 | *, odf4/odr-cluster-operator-bundle@sha256:1555cb387d9245294fb2a4a769d16850fa81d23c3cd37ae12db1b236958920bd_ppc64le, * |
| Red Hat | odf4/odr-hub-operator-bundle@sha256:102ecaa53a174455c8392a9e221dd0f332613fc0c0e206182c4c483cbd7f9ff3_s390x as a component of RHODF 4.15 for RHEL 9 | *, odf4/odr-hub-operator-bundle@sha256:102ecaa53a174455c8392a9e221dd0f332613fc0c0e206182c4c483cbd7f9ff3_s390x, * |
| Red Hat | odf4/odf-must-gather-rhel9@sha256:1d0044891f122b29fe37da51ba2058b0e35f40bcf382750d5953f2fa747df2e3_amd64 as a component of RHODF 4.15 for RHEL 9 | odf4/odf-must-gather-rhel9@sha256:1d0044891f122b29fe37da51ba2058b0e35f40bcf382750d5953f2fa747df2e3_amd64 |
| Red Hat | odf4/ocs-rhel9-operator@sha256:5424e130fb363a582a73e9b6168323bf02c68a52b2d57fe6d08a8f15eb9329c6_s390x as a component of RHODF 4.15 for RHEL 9 | * |
| Red Hat | odf4/odf-operator-bundle@sha256:b48272102bd84914525944f43b25424ac8107684604c5467dc8fe8621567368c_ppc64le as a component of RHODF 4.15 for RHEL 9 | * |
| Red Hat | odf4/ocs-rhel9-operator@sha256:e53a5a6beacd5f4b0a261086c3cd8320bca975293d19bd44e722ac027541f323_arm64 as a component of RHODF 4.15 for RHEL 9 | * |
| Red Hat | odf4/mcg-operator-bundle@sha256:54996beca536094a30d924c43e3a52ff615437e08b0bfae28589194819bb7e7b_amd64 as a component of RHODF 4.15 for RHEL 9 | odf4/mcg-operator-bundle@sha256:54996beca536094a30d924c43e3a52ff615437e08b0bfae28589194819bb7e7b_amd64 |
| Red Hat | odf4/odf-multicluster-console-rhel9@sha256:c20ff224739974a68d1397ee45520d0d1d00af115b0f8777a8a8ffb70811762f_s390x as a component of RHODF 4.15 for RHEL 9 | *, *, * |
…and 161 more
Timeline
- Apr 2, 2025 CVE Published
- Apr 25, 2026 Distribution Patch
- Apr 25, 2026 Distribution Patch
- Apr 25, 2026 Security Advisory
- Apr 25, 2026 Security Advisory
- Apr 25, 2026 Security Advisory
- Jul 13, 2026 CVE Updated
References
- https://access.redhat.com/errata/RHSA-2025:3542 advisory
- https://access.redhat.com/security/updates/classification/#important advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2331720 issue
- https://bugzilla.redhat.com/show_bug.cgi?id=2333122 issue
- https://issues.redhat.com/browse/DFBUGS-1345 advisory
- https://issues.redhat.com/browse/DFBUGS-913 advisory
- https://issues.redhat.com/browse/DFBUGS-944 advisory
- https://issues.redhat.com/browse/DFBUGS-979 advisory
- https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_3542.json advisory
- https://access.redhat.com/security/cve/CVE-2024-45337 advisory
- https://www.cve.org/CVERecord?id=CVE-2024-45337 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2024-45337 advisory
- https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909 advisory
- https://go.dev/cl/635315 advisory
- https://go.dev/issue/70779 advisory
- https://groups.google.com/g/golang-announce/c/-nPEi39gI4Q/m/cGVPJCqdAQAJ advisory
- https://pkg.go.dev/vuln/GO-2024-3321 advisory
- https://access.redhat.com/security/cve/CVE-2024-45338 advisory
- https://www.cve.org/CVERecord?id=CVE-2024-45338 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2024-45338 advisory
…and 4 more