CVE-2024-45337 — Improper Authorization in X Crypto Golang.org X Crypto SSH
Severity
9.1CRITICALNVD
EPSS
30.3%
top 3.31%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedDec 12
Latest updateNov 3
Description
Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallb…
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2
Affected Packages2 packages
🔴Vulnerability Details
5CVEList▶
Misuse of connection.serverAuthenticate may cause authorization bypass in golang.org/x/crypto↗2024-12-11
GHSA▶
Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto↗2024-12-11
OSV▶
Misuse of connection.serverAuthenticate may cause authorization bypass in golang.org/x/crypto↗2024-12-11
OSV▶
Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto↗2024-12-11
📋Vendor Advisories
5Red Hat▶
golang.org/x/crypto/ssh: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto↗2024-12-11
Microsoft▶
Misuse of connection.serverAuthenticate may cause authorization bypass in golang.org/x/crypto↗2024-12-10
Debian▶
CVE-2024-45337: golang-go.crypto - Applications and libraries which misuse connection.serverAuthenticate (via callb...↗2024