Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.
The vulnerability is related to an incomplete fix of the earlier CVE-2024-45337 vulnerability. If in the SSH server configuration a callback type other than a public key-based callback is passed instead of a public key-based callback, the source address validation mechanism is completely bypassed. This means that access restrictions based on IP address cease to be enforced, allowing an attacker to connect to the SSH server from any network address.
An attacker without any authentication and from any network location can bypass source address-based authorization control, gaining unauthorized access to resources of the protected SSH server. This may lead to complete breach of confidentiality and integrity of data processed by the server.
Patches available from the vendor should be applied in accordance with the references (https://go.dev/cl/781642, https://pkg.go.dev/vuln/GO-2026-5023). Additionally, it is recommended to verify the SSH server configuration for correct application of public key-based callbacks.
Applications using the Golang Crypto library with a misconfigured SSH server in which callbacks other than public key-based ones are applied — specific versions indicated in the vendor's references
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:LGolang Crypto
APPGolang< 0.52.0
Related vulnerabilities
Golang Crypto: pominięcie ograniczeń przy przekazywaniu kluczy do zdalnego agenta SSH
Golang Crypto: brak wymuszenia ograniczenia ConfirmBeforeUse w NewKeyring()
Brak weryfikacji flagi User Presence w FIDO/U2F w Golang Crypto
Golang Crypto: resource leak przez niezamawiane odpowiedzi SSH global request
Integer overflow w Golang Crypto SSH — nieskończona pętla przy zapisie >4GB