Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2024-45337 (GCVE-0-2024-45337)
Vulnerability from cvelistv5 – Published: 2024-12-11 18:55 – Updated: 2025-02-18 20:48
VLAI
EPSS
Title
Misuse of connection.serverAuthenticate may cause authorization bypass in golang.org/x/crypto
Summary
Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/cry...@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.
Severity
9.1 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-1108 - Excessive Reliance on Global Variables
Assigner
References
7 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| golang.org/x/crypto | golang.org/x/crypto/ssh |
Affected:
0 , < 0.31.0
(semver)
|
Credits
Damien Tournoud (Platform.sh / Upsun)
Patrick Dawkins (Platform.sh / Upsun)
Vince Parker (Platform.sh / Upsun)
Jules Duvivier (Platform.sh / Upsun)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-01-31T15:02:46.088Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2024/12/11/2"
},
{
"url": "https://security.netapp.com/advisory/ntap-20250131-0007/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-45337",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-12T17:57:55.896008Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-12T17:58:29.810Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "golang.org/x/crypto/ssh",
"product": "golang.org/x/crypto/ssh",
"programRoutines": [
{
"name": "ServerConfig.PublicKeyCallback"
},
{
"name": "connection.serverAuthenticate"
},
{
"name": "NewServerConn"
}
],
"vendor": "golang.org/x/crypto",
"versions": [
{
"lessThan": "0.31.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Damien Tournoud (Platform.sh / Upsun)"
},
{
"lang": "en",
"value": "Patrick Dawkins (Platform.sh / Upsun)"
},
{
"lang": "en",
"value": "Vince Parker (Platform.sh / Upsun)"
},
{
"lang": "en",
"value": "Jules Duvivier (Platform.sh / Upsun)"
}
],
"descriptions": [
{
"lang": "en",
"value": "Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that \"A call to this function does not guarantee that the key offered is in fact used to authenticate.\" Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/cry...@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-1108: Excessive Reliance on Global Variables",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T20:48:40.404Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909"
},
{
"url": "https://go.dev/cl/635315"
},
{
"url": "https://go.dev/issue/70779"
},
{
"url": "https://groups.google.com/g/golang-announce/c/-nPEi39gI4Q/m/cGVPJCqdAQAJ"
},
{
"url": "https://pkg.go.dev/vuln/GO-2024-3321"
}
],
"title": "Misuse of connection.serverAuthenticate may cause authorization bypass in golang.org/x/crypto"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2024-45337",
"datePublished": "2024-12-11T18:55:58.506Z",
"dateReserved": "2024-08-27T19:41:58.555Z",
"dateUpdated": "2025-02-18T20:48:40.404Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2024-45337",
"date": "2026-06-22",
"epss": "0.03092",
"percentile": "0.86022"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-45337\",\"sourceIdentifier\":\"security@golang.org\",\"published\":\"2024-12-12T02:02:07.970\",\"lastModified\":\"2025-02-18T21:15:22.187\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that \\\"A call to this function does not guarantee that the key offered is in fact used to authenticate.\\\" Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/cry...@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.\"},{\"lang\":\"es\",\"value\":\" Las aplicaciones y bibliotecas que hacen un mal uso de la devoluci\u00f3n de llamada ServerConfig.PublicKeyCallback pueden ser susceptibles a una omisi\u00f3n de autorizaci\u00f3n.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":9.1,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":5.2}]},\"references\":[{\"url\":\"https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909\",\"source\":\"security@golang.org\"},{\"url\":\"https://go.dev/cl/635315\",\"source\":\"security@golang.org\"},{\"url\":\"https://go.dev/issue/70779\",\"source\":\"security@golang.org\"},{\"url\":\"https://groups.google.com/g/golang-announce/c/-nPEi39gI4Q/m/cGVPJCqdAQAJ\",\"source\":\"security@golang.org\"},{\"url\":\"https://pkg.go.dev/vuln/GO-2024-3321\",\"source\":\"security@golang.org\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2024/12/11/2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20250131-0007/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://www.openwall.com/lists/oss-security/2024/12/11/2\"}, {\"url\": \"https://security.netapp.com/advisory/ntap-20250131-0007/\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-01-31T15:02:46.088Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-45337\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-12-12T17:57:55.896008Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-12-12T17:58:13.916Z\"}}], \"cna\": {\"title\": \"Misuse of connection.serverAuthenticate may cause authorization bypass in golang.org/x/crypto\", \"credits\": [{\"lang\": \"en\", \"value\": \"Damien Tournoud (Platform.sh / Upsun)\"}, {\"lang\": \"en\", \"value\": \"Patrick Dawkins (Platform.sh / Upsun)\"}, {\"lang\": \"en\", \"value\": \"Vince Parker (Platform.sh / Upsun)\"}, {\"lang\": \"en\", \"value\": \"Jules Duvivier (Platform.sh / Upsun)\"}], \"affected\": [{\"vendor\": \"golang.org/x/crypto\", \"product\": \"golang.org/x/crypto/ssh\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"0.31.0\", \"versionType\": \"semver\"}], \"packageName\": \"golang.org/x/crypto/ssh\", \"collectionURL\": \"https://pkg.go.dev\", \"defaultStatus\": \"unaffected\", \"programRoutines\": [{\"name\": \"ServerConfig.PublicKeyCallback\"}, {\"name\": \"connection.serverAuthenticate\"}, {\"name\": \"NewServerConn\"}]}], \"references\": [{\"url\": \"https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909\"}, {\"url\": \"https://go.dev/cl/635315\"}, {\"url\": \"https://go.dev/issue/70779\"}, {\"url\": \"https://groups.google.com/g/golang-announce/c/-nPEi39gI4Q/m/cGVPJCqdAQAJ\"}, {\"url\": \"https://pkg.go.dev/vuln/GO-2024-3321\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that \\\"A call to this function does not guarantee that the key offered is in fact used to authenticate.\\\" Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/cry...@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"description\": \"CWE-1108: Excessive Reliance on Global Variables\"}]}], \"providerMetadata\": {\"orgId\": \"1bb62c36-49e3-4200-9d77-64a1400537cc\", \"shortName\": \"Go\", \"dateUpdated\": \"2025-02-18T20:48:40.404Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-45337\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-02-18T20:48:40.404Z\", \"dateReserved\": \"2024-08-27T19:41:58.555Z\", \"assignerOrgId\": \"1bb62c36-49e3-4200-9d77-64a1400537cc\", \"datePublished\": \"2024-12-11T18:55:58.506Z\", \"assignerShortName\": \"Go\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
cleanstart-2026-gy66569
Vulnerability from cleanstart
Published
2026-06-08 12:43
Modified
2026-06-05 10:00
Summary
Security fixes for CVE-2024-45337, CVE-2026-25679, CVE-2026-27139, CVE-2026-27140, CVE-2026-27142, CVE-2026-27143, CVE-2026-27144, CVE-2026-32280, CVE-2026-32281, CVE-2026-32282, CVE-2026-32283, CVE-2026-32288, CVE-2026-32289, CVE-2026-33811, CVE-2026-33814, CVE-2026-34986, CVE-2026-39817, CVE-2026-39819, CVE-2026-39820, CVE-2026-39823, CVE-2026-39825, CVE-2026-39826, CVE-2026-39836, CVE-2026-42499, CVE-2026-42501, ghsa-6v2p-p943-phr9, ghsa-c6gw-w398-hv78, ghsa-f6x5-jh6r-wrfv, ghsa-hcg3-p754-cr77, ghsa-j5w8-q4qc-rx2x, ghsa-qxp5-gw88-xv66, ghsa-v778-237x-gjrc, ghsa-vvgc-356p-c3xw applied in versions: 1.15.0-r1, 1.18.3-r0
Details
Multiple security vulnerabilities affect the rabbitmq-messaging-topology-operator package. These issues are resolved in later releases. See references for individual vulnerability details.
References
{
"affected": [
{
"package": {
"ecosystem": "CleanStart",
"name": "rabbitmq-messaging-topology-operator"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.18.3-r0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"credits": [],
"database_specific": {},
"details": "Multiple security vulnerabilities affect the rabbitmq-messaging-topology-operator package. These issues are resolved in later releases. See references for individual vulnerability details.",
"id": "CLEANSTART-2026-GY66569",
"modified": "2026-06-05T10:00:04Z",
"published": "2026-06-08T12:43:55.932404Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-GY66569.json"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-45337"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-25679"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27139"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27140"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27142"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27143"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27144"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32280"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32281"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32282"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32283"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32288"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32289"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33811"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33814"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-34986"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-39817"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-39819"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-39820"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-39823"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-39825"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-39826"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-39836"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42499"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42501"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-6v2p-p943-phr9"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-c6gw-w398-hv78"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-f6x5-jh6r-wrfv"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-hcg3-p754-cr77"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-j5w8-q4qc-rx2x"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-qxp5-gw88-xv66"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-v778-237x-gjrc"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-vvgc-356p-c3xw"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45337"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25679"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27139"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27140"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27142"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27143"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27144"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32280"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32282"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32283"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32288"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32289"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33811"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33814"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34986"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39817"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39819"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39820"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39823"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39825"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39826"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39836"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42499"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42501"
}
],
"related": [],
"schema_version": "1.7.3",
"summary": "Security fixes for CVE-2024-45337, CVE-2026-25679, CVE-2026-27139, CVE-2026-27140, CVE-2026-27142, CVE-2026-27143, CVE-2026-27144, CVE-2026-32280, CVE-2026-32281, CVE-2026-32282, CVE-2026-32283, CVE-2026-32288, CVE-2026-32289, CVE-2026-33811, CVE-2026-33814, CVE-2026-34986, CVE-2026-39817, CVE-2026-39819, CVE-2026-39820, CVE-2026-39823, CVE-2026-39825, CVE-2026-39826, CVE-2026-39836, CVE-2026-42499, CVE-2026-42501, ghsa-6v2p-p943-phr9, ghsa-c6gw-w398-hv78, ghsa-f6x5-jh6r-wrfv, ghsa-hcg3-p754-cr77, ghsa-j5w8-q4qc-rx2x, ghsa-qxp5-gw88-xv66, ghsa-v778-237x-gjrc, ghsa-vvgc-356p-c3xw applied in versions: 1.15.0-r1, 1.18.3-r0",
"upstream": [
"CVE-2024-45337",
"CVE-2026-25679",
"CVE-2026-27139",
"CVE-2026-27140",
"CVE-2026-27142",
"CVE-2026-27143",
"CVE-2026-27144",
"CVE-2026-32280",
"CVE-2026-32281",
"CVE-2026-32282",
"CVE-2026-32283",
"CVE-2026-32288",
"CVE-2026-32289",
"CVE-2026-33811",
"CVE-2026-33814",
"CVE-2026-34986",
"CVE-2026-39817",
"CVE-2026-39819",
"CVE-2026-39820",
"CVE-2026-39823",
"CVE-2026-39825",
"CVE-2026-39826",
"CVE-2026-39836",
"CVE-2026-42499",
"CVE-2026-42501",
"ghsa-6v2p-p943-phr9",
"ghsa-c6gw-w398-hv78",
"ghsa-f6x5-jh6r-wrfv",
"ghsa-hcg3-p754-cr77",
"ghsa-j5w8-q4qc-rx2x",
"ghsa-qxp5-gw88-xv66",
"ghsa-v778-237x-gjrc",
"ghsa-vvgc-356p-c3xw"
]
}
cleanstart-2026-mw09143
Vulnerability from cleanstart
Published
2026-06-08 13:16
Modified
2026-06-05 04:39
Summary
Security fixes for CVE-2024-45337, CVE-2026-25680, CVE-2026-25681, CVE-2026-27136, CVE-2026-27145, CVE-2026-33186, CVE-2026-34986, CVE-2026-39821, CVE-2026-42502, CVE-2026-42504, CVE-2026-42506, CVE-2026-42507, ghsa-6v2p-p943-phr9, ghsa-78h2-9frx-2jm8, ghsa-c6gw-w398-hv78, ghsa-f6x5-jh6r-wrfv, ghsa-hcg3-p754-cr77, ghsa-j5w8-q4qc-rx2x, ghsa-qxp5-gw88-xv66, ghsa-v778-237x-gjrc, ghsa-vvgc-356p-c3xw applied in versions: 1.15.0-r1, 1.19.0-r0, 1.19.1-r0, 1.19.2-r0
Details
Multiple security vulnerabilities affect the rabbitmq-messaging-topology-operator package. These issues are resolved in later releases. See references for individual vulnerability details.
References
| URL | Type | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"affected": [
{
"package": {
"ecosystem": "CleanStart",
"name": "rabbitmq-messaging-topology-operator"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.19.2-r0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"credits": [],
"database_specific": {},
"details": "Multiple security vulnerabilities affect the rabbitmq-messaging-topology-operator package. These issues are resolved in later releases. See references for individual vulnerability details.",
"id": "CLEANSTART-2026-MW09143",
"modified": "2026-06-05T04:39:36Z",
"published": "2026-06-08T13:16:00.985351Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-MW09143.json"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-45337"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-25680"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-25681"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27136"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27145"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33186"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-34986"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-39821"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42502"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42504"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42506"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42507"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-6v2p-p943-phr9"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-78h2-9frx-2jm8"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-c6gw-w398-hv78"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-f6x5-jh6r-wrfv"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-hcg3-p754-cr77"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-j5w8-q4qc-rx2x"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-qxp5-gw88-xv66"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-v778-237x-gjrc"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-vvgc-356p-c3xw"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45337"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25680"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25681"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27136"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27145"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33186"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34986"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39821"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42502"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42504"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42506"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42507"
}
],
"related": [],
"schema_version": "1.7.3",
"summary": "Security fixes for CVE-2024-45337, CVE-2026-25680, CVE-2026-25681, CVE-2026-27136, CVE-2026-27145, CVE-2026-33186, CVE-2026-34986, CVE-2026-39821, CVE-2026-42502, CVE-2026-42504, CVE-2026-42506, CVE-2026-42507, ghsa-6v2p-p943-phr9, ghsa-78h2-9frx-2jm8, ghsa-c6gw-w398-hv78, ghsa-f6x5-jh6r-wrfv, ghsa-hcg3-p754-cr77, ghsa-j5w8-q4qc-rx2x, ghsa-qxp5-gw88-xv66, ghsa-v778-237x-gjrc, ghsa-vvgc-356p-c3xw applied in versions: 1.15.0-r1, 1.19.0-r0, 1.19.1-r0, 1.19.2-r0",
"upstream": [
"CVE-2024-45337",
"CVE-2026-25680",
"CVE-2026-25681",
"CVE-2026-27136",
"CVE-2026-27145",
"CVE-2026-33186",
"CVE-2026-34986",
"CVE-2026-39821",
"CVE-2026-42502",
"CVE-2026-42504",
"CVE-2026-42506",
"CVE-2026-42507",
"ghsa-6v2p-p943-phr9",
"ghsa-78h2-9frx-2jm8",
"ghsa-c6gw-w398-hv78",
"ghsa-f6x5-jh6r-wrfv",
"ghsa-hcg3-p754-cr77",
"ghsa-j5w8-q4qc-rx2x",
"ghsa-qxp5-gw88-xv66",
"ghsa-v778-237x-gjrc",
"ghsa-vvgc-356p-c3xw"
]
}
FKIE_CVE-2024-45337
Vulnerability from fkie_nvd - Published: 2024-12-12 02:02 - Updated: 2026-06-17 07:54
Severity
Summary
Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/cry...@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.
References
| URL | Tags | ||
|---|---|---|---|
| security@golang.org | https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909 | ||
| security@golang.org | https://go.dev/cl/635315 | ||
| security@golang.org | https://go.dev/issue/70779 | ||
| security@golang.org | https://groups.google.com/g/golang-announce/c/-nPEi39gI4Q/m/cGVPJCqdAQAJ | ||
| security@golang.org | https://pkg.go.dev/vuln/GO-2024-3321 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2024/12/11/2 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://security.netapp.com/advisory/ntap-20250131-0007/ |
Impacted products
| Vendor | Product | Version |
|---|
{
"affected": [
{
"affectedData": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "golang.org/x/crypto/ssh",
"product": "golang.org/x/crypto/ssh",
"programRoutines": [
{
"name": "ServerConfig.PublicKeyCallback"
},
{
"name": "connection.serverAuthenticate"
},
{
"name": "NewServerConn"
}
],
"vendor": "golang.org/x/crypto",
"versions": [
{
"lessThan": "0.31.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"source": "security@golang.org"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that \"A call to this function does not guarantee that the key offered is in fact used to authenticate.\" Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/cry...@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance."
},
{
"lang": "es",
"value": " Las aplicaciones y bibliotecas que hacen un mal uso de la devoluci\u00f3n de llamada ServerConfig.PublicKeyCallback pueden ser susceptibles a una omisi\u00f3n de autorizaci\u00f3n."
}
],
"id": "CVE-2024-45337",
"lastModified": "2026-06-17T07:54:03.360",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.2,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
],
"ssvcV203": [
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"ssvcData": {
"id": "CVE-2024-45337",
"options": [
{
"exploitation": "none"
},
{
"automatable": "yes"
},
{
"technicalImpact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-12T17:57:55.896008Z",
"version": "2.0.3"
}
}
]
},
"published": "2024-12-12T02:02:07.970",
"references": [
{
"source": "security@golang.org",
"url": "https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909"
},
{
"source": "security@golang.org",
"url": "https://go.dev/cl/635315"
},
{
"source": "security@golang.org",
"url": "https://go.dev/issue/70779"
},
{
"source": "security@golang.org",
"url": "https://groups.google.com/g/golang-announce/c/-nPEi39gI4Q/m/cGVPJCqdAQAJ"
},
{
"source": "security@golang.org",
"url": "https://pkg.go.dev/vuln/GO-2024-3321"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2024/12/11/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.netapp.com/advisory/ntap-20250131-0007/"
}
],
"sourceIdentifier": "security@golang.org",
"vulnStatus": "Deferred"
}
GHSA-V778-237X-GJRC
Vulnerability from github – Published: 2024-12-11 22:03 – Updated: 2025-01-31 15:30
VLAI
Summary
Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto
Details
Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass.
The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions.
For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key.
Since this API is widely misused, as a partial mitigation golang.org/x/crypto@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth.
Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.
Severity
9.1 (Critical)
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "golang.org/x/crypto"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.31.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-45337"
],
"database_specific": {
"cwe_ids": [
"CWE-285"
],
"github_reviewed": true,
"github_reviewed_at": "2024-12-11T22:03:04Z",
"nvd_published_at": "2024-12-12T02:02:07Z",
"severity": "CRITICAL"
},
"details": "Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass.\n\nThe documentation for ServerConfig.PublicKeyCallback says that \"A call to this function does not guarantee that the key offered is in fact used to authenticate.\" Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions.\n\nFor example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key.\n\nSince this API is widely misused, as a partial mitigation golang.org/x/crypto@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth.\n\nUsers should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.",
"id": "GHSA-v778-237x-gjrc",
"modified": "2025-01-31T15:30:43Z",
"published": "2024-12-11T22:03:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45337"
},
{
"type": "WEB",
"url": "https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909"
},
{
"type": "PACKAGE",
"url": "https://github.com/golang/crypto"
},
{
"type": "WEB",
"url": "https://go.dev/cl/635315"
},
{
"type": "WEB",
"url": "https://go.dev/issue/70779"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/-nPEi39gI4Q/m/cGVPJCqdAQAJ"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2024-3321"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20250131-0007"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/12/11/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto"
}
MSRC_CVE-2024-45337
Vulnerability from csaf_microsoft - Published: 2024-12-02 00:00 - Updated: 2026-02-18 14:35Summary
Misuse of connection.serverAuthenticate may cause authorization bypass in golang.org/x/crypto
Notes
Additional Resources: To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle
Disclaimer: The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
9.1 (Critical)
Affected products
Fixed
28 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 17148-17086 | — | ||
| Unresolved product id: 17149-17086 | — | ||
| Unresolved product id: 17152-17086 | — | ||
| Unresolved product id: 17129-17086 | — | ||
| Unresolved product id: 17529-17084 | — | ||
| Unresolved product id: 17530-17084 | — | ||
| Unresolved product id: 17531-17084 | — | ||
| Unresolved product id: 17532-17084 | — | ||
| Unresolved product id: 17533-17084 | — | ||
| Unresolved product id: 17534-17084 | — | ||
| Unresolved product id: 17535-17084 | — | ||
| Unresolved product id: 17536-17084 | — | ||
| Unresolved product id: 17537-17084 | — | ||
| Unresolved product id: 19843-17086 | — | ||
| Unresolved product id: 19339-17084 | — | ||
| Unresolved product id: 19254-17084 | — | ||
| Unresolved product id: 19729-17084 | — | ||
| Unresolved product id: 19343-17084 | — | ||
| Unresolved product id: 19334-17084 | — | ||
| Unresolved product id: 19338-17084 | — | ||
| Unresolved product id: 19437-17086 | — | ||
| Unresolved product id: 19422-17086 | — | ||
| Unresolved product id: 19735-17086 | — | ||
| Unresolved product id: 19794-17086 | — | ||
| Unresolved product id: 19817-17086 | — | ||
| Unresolved product id: 19798-17086 | — | ||
| Unresolved product id: 19337-17084 | — | ||
| Unresolved product id: 17759-17084 | — |
Known affected
28 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 17086-29 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 17086-28 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 17086-27 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 17086-30 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 17084-26 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 17084-25 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 17084-24 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 17084-23 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 17084-22 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 17084-21 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 17084-20 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 17084-19 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 17084-18 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 17086-1 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 17084-11 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 17084-15 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 17084-7 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 17084-10 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 17084-14 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 17084-12 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 17086-8 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 17086-9 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 17086-6 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 17086-5 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 17086-3 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 17086-4 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 17084-13 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 17084-17 | — |
Vendor Fix
fix
|
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 17084-16 | — | ||
| Unresolved product id: 17086-2 | — |
References
4 references
| URL | Category |
|---|---|
| https://msrc.microsoft.com/csaf/vex/2024/msrc_cve… | self |
| https://support.microsoft.com/lifecycle | external |
| https://www.first.org/cvss | external |
| https://msrc.microsoft.com/csaf/vex/2024/msrc_cve… | self |
{
"document": {
"category": "csaf_vex",
"csaf_version": "2.0",
"distribution": {
"text": "Public",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
"title": "Additional Resources"
},
{
"category": "legal_disclaimer",
"text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
"title": "Disclaimer"
}
],
"publisher": {
"category": "vendor",
"contact_details": "secure@microsoft.com",
"name": "Microsoft Security Response Center",
"namespace": "https://msrc.microsoft.com"
},
"references": [
{
"category": "self",
"summary": "CVE-2024-45337 Misuse of connection.serverAuthenticate may cause authorization bypass in golang.org/x/crypto - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2024/msrc_cve-2024-45337.json"
},
{
"category": "external",
"summary": "Microsoft Support Lifecycle",
"url": "https://support.microsoft.com/lifecycle"
},
{
"category": "external",
"summary": "Common Vulnerability Scoring System",
"url": "https://www.first.org/cvss"
}
],
"title": "Misuse of connection.serverAuthenticate may cause authorization bypass in golang.org/x/crypto",
"tracking": {
"current_release_date": "2026-02-18T14:35:06.000Z",
"generator": {
"date": "2026-02-21T03:50:09.560Z",
"engine": {
"name": "MSRC Generator",
"version": "1.0"
}
},
"id": "msrc_CVE-2024-45337",
"initial_release_date": "2024-12-02T00:00:00.000Z",
"revision_history": [
{
"date": "2024-12-20T00:00:00.000Z",
"legacy_version": "1",
"number": "1",
"summary": "Information published."
},
{
"date": "2025-04-01T00:00:00.000Z",
"legacy_version": "1",
"number": "2",
"summary": "Information published."
},
{
"date": "2024-12-21T00:00:00.000Z",
"legacy_version": "2",
"number": "3",
"summary": "Information published."
},
{
"date": "2024-12-24T00:00:00.000Z",
"legacy_version": "3",
"number": "4",
"summary": "Information published."
},
{
"date": "2024-12-25T00:00:00.000Z",
"legacy_version": "4",
"number": "5",
"summary": "Information published."
},
{
"date": "2024-12-26T00:00:00.000Z",
"legacy_version": "5",
"number": "6",
"summary": "Information published."
},
{
"date": "2024-12-27T00:00:00.000Z",
"legacy_version": "6",
"number": "7",
"summary": "Information published."
},
{
"date": "2025-01-09T00:00:00.000Z",
"legacy_version": "7",
"number": "8",
"summary": "Information published."
},
{
"date": "2025-01-17T00:00:00.000Z",
"legacy_version": "8",
"number": "9",
"summary": "Information published."
},
{
"date": "2025-03-12T00:00:00.000Z",
"legacy_version": "9",
"number": "10",
"summary": "Information published."
},
{
"date": "2026-02-18T14:35:06.000Z",
"legacy_version": "1",
"number": "11",
"summary": "Information published."
}
],
"status": "final",
"version": "11"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "2.0",
"product": {
"name": "CBL Mariner 2.0",
"product_id": "17086"
}
},
{
"category": "product_version",
"name": "3.0",
"product": {
"name": "Azure Linux 3.0",
"product_id": "17084"
}
}
],
"category": "product_name",
"name": "Azure Linux"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003ccbl2 moby-engine 24.0.9-12",
"product": {
"name": "\u003ccbl2 moby-engine 24.0.9-12",
"product_id": "29"
}
},
{
"category": "product_version",
"name": "cbl2 moby-engine 24.0.9-12",
"product": {
"name": "cbl2 moby-engine 24.0.9-12",
"product_id": "17148"
}
},
{
"category": "product_version_range",
"name": "\u003cazl3 moby-engine 25.0.3-9",
"product": {
"name": "\u003cazl3 moby-engine 25.0.3-9",
"product_id": "22"
}
},
{
"category": "product_version",
"name": "azl3 moby-engine 25.0.3-9",
"product": {
"name": "azl3 moby-engine 25.0.3-9",
"product_id": "17533"
}
},
{
"category": "product_version_range",
"name": "\u003cazl3 moby-engine 25.0.3-13",
"product": {
"name": "\u003cazl3 moby-engine 25.0.3-13",
"product_id": "7"
}
},
{
"category": "product_version",
"name": "azl3 moby-engine 25.0.3-13",
"product": {
"name": "azl3 moby-engine 25.0.3-13",
"product_id": "19729"
}
},
{
"category": "product_version_range",
"name": "\u003ccbl2 moby-engine 24.0.9-16",
"product": {
"name": "\u003ccbl2 moby-engine 24.0.9-16",
"product_id": "9"
}
},
{
"category": "product_version",
"name": "cbl2 moby-engine 24.0.9-16",
"product": {
"name": "cbl2 moby-engine 24.0.9-16",
"product_id": "19422"
}
},
{
"category": "product_version_range",
"name": "\u003ccbl2 moby-engine 24.0.9-16",
"product": {
"name": "\u003ccbl2 moby-engine 24.0.9-16",
"product_id": "4"
}
},
{
"category": "product_version",
"name": "cbl2 moby-engine 24.0.9-16",
"product": {
"name": "cbl2 moby-engine 24.0.9-16",
"product_id": "19798"
}
}
],
"category": "product_name",
"name": "moby-engine"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003ccbl2 cert-manager 1.11.2-16",
"product": {
"name": "\u003ccbl2 cert-manager 1.11.2-16",
"product_id": "28"
}
},
{
"category": "product_version",
"name": "cbl2 cert-manager 1.11.2-16",
"product": {
"name": "cbl2 cert-manager 1.11.2-16",
"product_id": "17149"
}
},
{
"category": "product_version_range",
"name": "\u003cazl3 cert-manager 1.12.13-2",
"product": {
"name": "\u003cazl3 cert-manager 1.12.13-2",
"product_id": "24"
}
},
{
"category": "product_version",
"name": "azl3 cert-manager 1.12.13-2",
"product": {
"name": "azl3 cert-manager 1.12.13-2",
"product_id": "17531"
}
},
{
"category": "product_version_range",
"name": "\u003ccbl2 cert-manager 1.11.2-22",
"product": {
"name": "\u003ccbl2 cert-manager 1.11.2-22",
"product_id": "3"
}
},
{
"category": "product_version",
"name": "cbl2 cert-manager 1.11.2-22",
"product": {
"name": "cbl2 cert-manager 1.11.2-22",
"product_id": "19817"
}
}
],
"category": "product_name",
"name": "cert-manager"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003ccbl2 moby-compose 2.17.3-9",
"product": {
"name": "\u003ccbl2 moby-compose 2.17.3-9",
"product_id": "27"
}
},
{
"category": "product_version",
"name": "cbl2 moby-compose 2.17.3-9",
"product": {
"name": "cbl2 moby-compose 2.17.3-9",
"product_id": "17152"
}
},
{
"category": "product_version_range",
"name": "\u003ccbl2 moby-compose 2.17.3-10",
"product": {
"name": "\u003ccbl2 moby-compose 2.17.3-10",
"product_id": "5"
}
},
{
"category": "product_version",
"name": "cbl2 moby-compose 2.17.3-10",
"product": {
"name": "cbl2 moby-compose 2.17.3-10",
"product_id": "19794"
}
}
],
"category": "product_name",
"name": "moby-compose"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003ccbl2 telegraf 1.29.4-10",
"product": {
"name": "\u003ccbl2 telegraf 1.29.4-10",
"product_id": "30"
}
},
{
"category": "product_version",
"name": "cbl2 telegraf 1.29.4-10",
"product": {
"name": "cbl2 telegraf 1.29.4-10",
"product_id": "17129"
}
},
{
"category": "product_version_range",
"name": "\u003cazl3 telegraf 1.31.0-3",
"product": {
"name": "\u003cazl3 telegraf 1.31.0-3",
"product_id": "23"
}
},
{
"category": "product_version",
"name": "azl3 telegraf 1.31.0-3",
"product": {
"name": "azl3 telegraf 1.31.0-3",
"product_id": "17532"
}
},
{
"category": "product_version_range",
"name": "\u003cazl3 telegraf 1.31.0-10",
"product": {
"name": "\u003cazl3 telegraf 1.31.0-10",
"product_id": "10"
}
},
{
"category": "product_version",
"name": "azl3 telegraf 1.31.0-10",
"product": {
"name": "azl3 telegraf 1.31.0-10",
"product_id": "19343"
}
},
{
"category": "product_version_range",
"name": "\u003ccbl2 telegraf 1.29.4-15",
"product": {
"name": "\u003ccbl2 telegraf 1.29.4-15",
"product_id": "8"
}
},
{
"category": "product_version",
"name": "cbl2 telegraf 1.29.4-15",
"product": {
"name": "cbl2 telegraf 1.29.4-15",
"product_id": "19437"
}
},
{
"category": "product_version_range",
"name": "\u003ccbl2 telegraf 1.29.4-15",
"product": {
"name": "\u003ccbl2 telegraf 1.29.4-15",
"product_id": "6"
}
},
{
"category": "product_version",
"name": "cbl2 telegraf 1.29.4-15",
"product": {
"name": "cbl2 telegraf 1.29.4-15",
"product_id": "19735"
}
}
],
"category": "product_name",
"name": "telegraf"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003cazl3 gh 2.62.0-3",
"product": {
"name": "\u003cazl3 gh 2.62.0-3",
"product_id": "26"
}
},
{
"category": "product_version",
"name": "azl3 gh 2.62.0-3",
"product": {
"name": "azl3 gh 2.62.0-3",
"product_id": "17529"
}
},
{
"category": "product_version_range",
"name": "\u003cazl3 gh 2.62.0-8",
"product": {
"name": "\u003cazl3 gh 2.62.0-8",
"product_id": "12"
}
},
{
"category": "product_version",
"name": "azl3 gh 2.62.0-8",
"product": {
"name": "azl3 gh 2.62.0-8",
"product_id": "19338"
}
}
],
"category": "product_name",
"name": "gh"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003cazl3 docker-compose 2.27.0-2",
"product": {
"name": "\u003cazl3 docker-compose 2.27.0-2",
"product_id": "25"
}
},
{
"category": "product_version",
"name": "azl3 docker-compose 2.27.0-2",
"product": {
"name": "azl3 docker-compose 2.27.0-2",
"product_id": "17530"
}
},
{
"category": "product_version_range",
"name": "\u003cazl3 docker-compose 2.27.0-5",
"product": {
"name": "\u003cazl3 docker-compose 2.27.0-5",
"product_id": "14"
}
},
{
"category": "product_version",
"name": "azl3 docker-compose 2.27.0-5",
"product": {
"name": "azl3 docker-compose 2.27.0-5",
"product_id": "19334"
}
}
],
"category": "product_name",
"name": "docker-compose"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003cazl3 docker-buildx 0.14.0-2",
"product": {
"name": "\u003cazl3 docker-buildx 0.14.0-2",
"product_id": "21"
}
},
{
"category": "product_version",
"name": "azl3 docker-buildx 0.14.0-2",
"product": {
"name": "azl3 docker-buildx 0.14.0-2",
"product_id": "17534"
}
},
{
"category": "product_version_range",
"name": "\u003cazl3 docker-buildx 0.14.0-5",
"product": {
"name": "\u003cazl3 docker-buildx 0.14.0-5",
"product_id": "15"
}
},
{
"category": "product_version",
"name": "azl3 docker-buildx 0.14.0-5",
"product": {
"name": "azl3 docker-buildx 0.14.0-5",
"product_id": "19254"
}
}
],
"category": "product_name",
"name": "docker-buildx"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003cazl3 kubevirt 1.2.0-11",
"product": {
"name": "\u003cazl3 kubevirt 1.2.0-11",
"product_id": "20"
}
},
{
"category": "product_version",
"name": "azl3 kubevirt 1.2.0-11",
"product": {
"name": "azl3 kubevirt 1.2.0-11",
"product_id": "17535"
}
},
{
"category": "product_version_range",
"name": "\u003cazl3 kubevirt 1.2.0-17",
"product": {
"name": "\u003cazl3 kubevirt 1.2.0-17",
"product_id": "11"
}
},
{
"category": "product_version",
"name": "azl3 kubevirt 1.2.0-17",
"product": {
"name": "azl3 kubevirt 1.2.0-17",
"product_id": "19339"
}
}
],
"category": "product_name",
"name": "kubevirt"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003cazl3 packer 1.9.5-4",
"product": {
"name": "\u003cazl3 packer 1.9.5-4",
"product_id": "19"
}
},
{
"category": "product_version",
"name": "azl3 packer 1.9.5-4",
"product": {
"name": "azl3 packer 1.9.5-4",
"product_id": "17536"
}
},
{
"category": "product_version_range",
"name": "\u003ccbl2 packer 1.9.5-5",
"product": {
"name": "\u003ccbl2 packer 1.9.5-5",
"product_id": "1"
}
},
{
"category": "product_version",
"name": "cbl2 packer 1.9.5-5",
"product": {
"name": "cbl2 packer 1.9.5-5",
"product_id": "19843"
}
},
{
"category": "product_version_range",
"name": "\u003cazl3 packer 1.9.5-6",
"product": {
"name": "\u003cazl3 packer 1.9.5-6",
"product_id": "17"
}
},
{
"category": "product_version",
"name": "azl3 packer 1.9.5-6",
"product": {
"name": "azl3 packer 1.9.5-6",
"product_id": "17759"
}
}
],
"category": "product_name",
"name": "packer"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003cazl3 cf-cli 8.7.3-4",
"product": {
"name": "\u003cazl3 cf-cli 8.7.3-4",
"product_id": "18"
}
},
{
"category": "product_version",
"name": "azl3 cf-cli 8.7.3-4",
"product": {
"name": "azl3 cf-cli 8.7.3-4",
"product_id": "17537"
}
},
{
"category": "product_version_range",
"name": "\u003cazl3 cf-cli 8.7.11-3",
"product": {
"name": "\u003cazl3 cf-cli 8.7.11-3",
"product_id": "13"
}
},
{
"category": "product_version",
"name": "azl3 cf-cli 8.7.11-3",
"product": {
"name": "azl3 cf-cli 8.7.11-3",
"product_id": "19337"
}
}
],
"category": "product_name",
"name": "cf-cli"
},
{
"category": "product_name",
"name": "azl3 libcontainers-common 20240213-3",
"product": {
"name": "azl3 libcontainers-common 20240213-3",
"product_id": "16"
}
},
{
"category": "product_name",
"name": "cbl2 kubernetes 1.28.4-17",
"product": {
"name": "cbl2 kubernetes 1.28.4-17",
"product_id": "2"
}
}
],
"category": "vendor",
"name": "Microsoft"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003ccbl2 moby-engine 24.0.9-12 as a component of CBL Mariner 2.0",
"product_id": "17086-29"
},
"product_reference": "29",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cbl2 moby-engine 24.0.9-12 as a component of CBL Mariner 2.0",
"product_id": "17148-17086"
},
"product_reference": "17148",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003ccbl2 cert-manager 1.11.2-16 as a component of CBL Mariner 2.0",
"product_id": "17086-28"
},
"product_reference": "28",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cbl2 cert-manager 1.11.2-16 as a component of CBL Mariner 2.0",
"product_id": "17149-17086"
},
"product_reference": "17149",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003ccbl2 moby-compose 2.17.3-9 as a component of CBL Mariner 2.0",
"product_id": "17086-27"
},
"product_reference": "27",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cbl2 moby-compose 2.17.3-9 as a component of CBL Mariner 2.0",
"product_id": "17152-17086"
},
"product_reference": "17152",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003ccbl2 telegraf 1.29.4-10 as a component of CBL Mariner 2.0",
"product_id": "17086-30"
},
"product_reference": "30",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cbl2 telegraf 1.29.4-10 as a component of CBL Mariner 2.0",
"product_id": "17129-17086"
},
"product_reference": "17129",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003cazl3 gh 2.62.0-3 as a component of Azure Linux 3.0",
"product_id": "17084-26"
},
"product_reference": "26",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 gh 2.62.0-3 as a component of Azure Linux 3.0",
"product_id": "17529-17084"
},
"product_reference": "17529",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003cazl3 docker-compose 2.27.0-2 as a component of Azure Linux 3.0",
"product_id": "17084-25"
},
"product_reference": "25",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 docker-compose 2.27.0-2 as a component of Azure Linux 3.0",
"product_id": "17530-17084"
},
"product_reference": "17530",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003cazl3 cert-manager 1.12.13-2 as a component of Azure Linux 3.0",
"product_id": "17084-24"
},
"product_reference": "24",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 cert-manager 1.12.13-2 as a component of Azure Linux 3.0",
"product_id": "17531-17084"
},
"product_reference": "17531",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003cazl3 telegraf 1.31.0-3 as a component of Azure Linux 3.0",
"product_id": "17084-23"
},
"product_reference": "23",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 telegraf 1.31.0-3 as a component of Azure Linux 3.0",
"product_id": "17532-17084"
},
"product_reference": "17532",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003cazl3 moby-engine 25.0.3-9 as a component of Azure Linux 3.0",
"product_id": "17084-22"
},
"product_reference": "22",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 moby-engine 25.0.3-9 as a component of Azure Linux 3.0",
"product_id": "17533-17084"
},
"product_reference": "17533",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003cazl3 docker-buildx 0.14.0-2 as a component of Azure Linux 3.0",
"product_id": "17084-21"
},
"product_reference": "21",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 docker-buildx 0.14.0-2 as a component of Azure Linux 3.0",
"product_id": "17534-17084"
},
"product_reference": "17534",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003cazl3 kubevirt 1.2.0-11 as a component of Azure Linux 3.0",
"product_id": "17084-20"
},
"product_reference": "20",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 kubevirt 1.2.0-11 as a component of Azure Linux 3.0",
"product_id": "17535-17084"
},
"product_reference": "17535",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003cazl3 packer 1.9.5-4 as a component of Azure Linux 3.0",
"product_id": "17084-19"
},
"product_reference": "19",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 packer 1.9.5-4 as a component of Azure Linux 3.0",
"product_id": "17536-17084"
},
"product_reference": "17536",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003cazl3 cf-cli 8.7.3-4 as a component of Azure Linux 3.0",
"product_id": "17084-18"
},
"product_reference": "18",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 cf-cli 8.7.3-4 as a component of Azure Linux 3.0",
"product_id": "17537-17084"
},
"product_reference": "17537",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003ccbl2 packer 1.9.5-5 as a component of CBL Mariner 2.0",
"product_id": "17086-1"
},
"product_reference": "1",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cbl2 packer 1.9.5-5 as a component of CBL Mariner 2.0",
"product_id": "19843-17086"
},
"product_reference": "19843",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003cazl3 kubevirt 1.2.0-17 as a component of Azure Linux 3.0",
"product_id": "17084-11"
},
"product_reference": "11",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 kubevirt 1.2.0-17 as a component of Azure Linux 3.0",
"product_id": "19339-17084"
},
"product_reference": "19339",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 libcontainers-common 20240213-3 as a component of Azure Linux 3.0",
"product_id": "17084-16"
},
"product_reference": "16",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003cazl3 docker-buildx 0.14.0-5 as a component of Azure Linux 3.0",
"product_id": "17084-15"
},
"product_reference": "15",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 docker-buildx 0.14.0-5 as a component of Azure Linux 3.0",
"product_id": "19254-17084"
},
"product_reference": "19254",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003cazl3 moby-engine 25.0.3-13 as a component of Azure Linux 3.0",
"product_id": "17084-7"
},
"product_reference": "7",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 moby-engine 25.0.3-13 as a component of Azure Linux 3.0",
"product_id": "19729-17084"
},
"product_reference": "19729",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003cazl3 telegraf 1.31.0-10 as a component of Azure Linux 3.0",
"product_id": "17084-10"
},
"product_reference": "10",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 telegraf 1.31.0-10 as a component of Azure Linux 3.0",
"product_id": "19343-17084"
},
"product_reference": "19343",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003cazl3 docker-compose 2.27.0-5 as a component of Azure Linux 3.0",
"product_id": "17084-14"
},
"product_reference": "14",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 docker-compose 2.27.0-5 as a component of Azure Linux 3.0",
"product_id": "19334-17084"
},
"product_reference": "19334",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003cazl3 gh 2.62.0-8 as a component of Azure Linux 3.0",
"product_id": "17084-12"
},
"product_reference": "12",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 gh 2.62.0-8 as a component of Azure Linux 3.0",
"product_id": "19338-17084"
},
"product_reference": "19338",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003ccbl2 telegraf 1.29.4-15 as a component of CBL Mariner 2.0",
"product_id": "17086-8"
},
"product_reference": "8",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cbl2 telegraf 1.29.4-15 as a component of CBL Mariner 2.0",
"product_id": "19437-17086"
},
"product_reference": "19437",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003ccbl2 moby-engine 24.0.9-16 as a component of CBL Mariner 2.0",
"product_id": "17086-9"
},
"product_reference": "9",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cbl2 moby-engine 24.0.9-16 as a component of CBL Mariner 2.0",
"product_id": "19422-17086"
},
"product_reference": "19422",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cbl2 kubernetes 1.28.4-17 as a component of CBL Mariner 2.0",
"product_id": "17086-2"
},
"product_reference": "2",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003ccbl2 telegraf 1.29.4-15 as a component of CBL Mariner 2.0",
"product_id": "17086-6"
},
"product_reference": "6",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cbl2 telegraf 1.29.4-15 as a component of CBL Mariner 2.0",
"product_id": "19735-17086"
},
"product_reference": "19735",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003ccbl2 moby-compose 2.17.3-10 as a component of CBL Mariner 2.0",
"product_id": "17086-5"
},
"product_reference": "5",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cbl2 moby-compose 2.17.3-10 as a component of CBL Mariner 2.0",
"product_id": "19794-17086"
},
"product_reference": "19794",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003ccbl2 cert-manager 1.11.2-22 as a component of CBL Mariner 2.0",
"product_id": "17086-3"
},
"product_reference": "3",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cbl2 cert-manager 1.11.2-22 as a component of CBL Mariner 2.0",
"product_id": "19817-17086"
},
"product_reference": "19817",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003ccbl2 moby-engine 24.0.9-16 as a component of CBL Mariner 2.0",
"product_id": "17086-4"
},
"product_reference": "4",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cbl2 moby-engine 24.0.9-16 as a component of CBL Mariner 2.0",
"product_id": "19798-17086"
},
"product_reference": "19798",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003cazl3 cf-cli 8.7.11-3 as a component of Azure Linux 3.0",
"product_id": "17084-13"
},
"product_reference": "13",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 cf-cli 8.7.11-3 as a component of Azure Linux 3.0",
"product_id": "19337-17084"
},
"product_reference": "19337",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003cazl3 packer 1.9.5-6 as a component of Azure Linux 3.0",
"product_id": "17084-17"
},
"product_reference": "17",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 packer 1.9.5-6 as a component of Azure Linux 3.0",
"product_id": "17759-17084"
},
"product_reference": "17759",
"relates_to_product_reference": "17084"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-45337",
"flags": [
{
"label": "component_not_present",
"product_ids": [
"17084-16",
"17086-2"
]
}
],
"notes": [
{
"category": "general",
"text": "Go",
"title": "Assigning CNA"
}
],
"product_status": {
"fixed": [
"17148-17086",
"17149-17086",
"17152-17086",
"17129-17086",
"17529-17084",
"17530-17084",
"17531-17084",
"17532-17084",
"17533-17084",
"17534-17084",
"17535-17084",
"17536-17084",
"17537-17084",
"19843-17086",
"19339-17084",
"19254-17084",
"19729-17084",
"19343-17084",
"19334-17084",
"19338-17084",
"19437-17086",
"19422-17086",
"19735-17086",
"19794-17086",
"19817-17086",
"19798-17086",
"19337-17084",
"17759-17084"
],
"known_affected": [
"17086-29",
"17086-28",
"17086-27",
"17086-30",
"17084-26",
"17084-25",
"17084-24",
"17084-23",
"17084-22",
"17084-21",
"17084-20",
"17084-19",
"17084-18",
"17086-1",
"17084-11",
"17084-15",
"17084-7",
"17084-10",
"17084-14",
"17084-12",
"17086-8",
"17086-9",
"17086-6",
"17086-5",
"17086-3",
"17086-4",
"17084-13",
"17084-17"
],
"known_not_affected": [
"17084-16",
"17086-2"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-45337 Misuse of connection.serverAuthenticate may cause authorization bypass in golang.org/x/crypto - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2024/msrc_cve-2024-45337.json"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2024-12-20T00:00:00.000Z",
"details": "24.0.9-12:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
"product_ids": [
"17086-29",
"17086-9",
"17086-4"
],
"url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
},
{
"category": "vendor_fix",
"date": "2024-12-20T00:00:00.000Z",
"details": "1.11.2-16:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
"product_ids": [
"17086-28",
"17086-3"
],
"url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
},
{
"category": "vendor_fix",
"date": "2024-12-20T00:00:00.000Z",
"details": "2.17.3-9:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
"product_ids": [
"17086-27",
"17086-5"
],
"url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
},
{
"category": "vendor_fix",
"date": "2024-12-20T00:00:00.000Z",
"details": "1.29.4-10:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
"product_ids": [
"17086-30",
"17086-8",
"17086-6"
],
"url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
},
{
"category": "vendor_fix",
"date": "2024-12-20T00:00:00.000Z",
"details": "2.62.0-3:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
"product_ids": [
"17084-26",
"17084-12"
],
"url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
},
{
"category": "vendor_fix",
"date": "2024-12-20T00:00:00.000Z",
"details": "2.27.0-2:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
"product_ids": [
"17084-25",
"17084-14"
],
"url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
},
{
"category": "vendor_fix",
"date": "2024-12-20T00:00:00.000Z",
"details": "1.12.13-2:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
"product_ids": [
"17084-24"
],
"url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
},
{
"category": "vendor_fix",
"date": "2024-12-20T00:00:00.000Z",
"details": "1.31.0-3:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
"product_ids": [
"17084-23",
"17084-10"
],
"url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
},
{
"category": "vendor_fix",
"date": "2024-12-20T00:00:00.000Z",
"details": "25.0.3-9:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
"product_ids": [
"17084-22",
"17084-7"
],
"url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
},
{
"category": "vendor_fix",
"date": "2024-12-20T00:00:00.000Z",
"details": "0.14.0-2:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
"product_ids": [
"17084-21",
"17084-15"
],
"url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
},
{
"category": "vendor_fix",
"date": "2024-12-20T00:00:00.000Z",
"details": "1.2.0-11:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
"product_ids": [
"17084-20",
"17084-11"
],
"url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
},
{
"category": "vendor_fix",
"date": "2024-12-20T00:00:00.000Z",
"details": "1.9.5-4:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
"product_ids": [
"17084-19"
],
"url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
},
{
"category": "vendor_fix",
"date": "2024-12-20T00:00:00.000Z",
"details": "8.7.3-4:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
"product_ids": [
"17084-18",
"17084-13"
],
"url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
},
{
"category": "vendor_fix",
"date": "2024-12-20T00:00:00.000Z",
"details": "1.9.5-5:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
"product_ids": [
"17086-1"
],
"url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
},
{
"category": "vendor_fix",
"date": "2024-12-20T00:00:00.000Z",
"details": "1.9.5-7:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
"product_ids": [
"17084-17"
],
"url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"environmentalsScore": 0.0,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 9.1,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"17086-29",
"17086-28",
"17086-27",
"17086-30",
"17084-26",
"17084-25",
"17084-24",
"17084-23",
"17084-22",
"17084-21",
"17084-20",
"17084-19",
"17084-18",
"17086-1",
"17084-11",
"17084-15",
"17084-7",
"17084-10",
"17084-14",
"17084-12",
"17086-8",
"17086-9",
"17086-6",
"17086-5",
"17086-3",
"17086-4",
"17084-13",
"17084-17"
]
}
],
"title": "Misuse of connection.serverAuthenticate may cause authorization bypass in golang.org/x/crypto"
}
]
}
OPENSUSE-SU-2024:14573-1
Vulnerability from csaf_opensuse - Published: 2024-12-12 00:00 - Updated: 2024-12-12 00:00Summary
teleport-17.0.5-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: teleport-17.0.5-1.1 on GA media
Description of the patch: These are all security issues fixed in the teleport-17.0.5-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-14573
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
8.1 (High)
Affected products
Recommended
52 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:teleport-17.0.5-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-17.0.5-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-17.0.5-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-17.0.5-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-bash-completion-17.0.5-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-bash-completion-17.0.5-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-bash-completion-17.0.5-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-bash-completion-17.0.5-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-fdpass-teleport-17.0.5-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-fdpass-teleport-17.0.5-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-fdpass-teleport-17.0.5-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-fdpass-teleport-17.0.5-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tbot-17.0.5-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tbot-17.0.5-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tbot-17.0.5-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tbot-17.0.5-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tbot-bash-completion-17.0.5-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tbot-bash-completion-17.0.5-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tbot-bash-completion-17.0.5-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tbot-bash-completion-17.0.5-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tbot-zsh-completion-17.0.5-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tbot-zsh-completion-17.0.5-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tbot-zsh-completion-17.0.5-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tbot-zsh-completion-17.0.5-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tctl-17.0.5-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tctl-17.0.5-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tctl-17.0.5-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tctl-17.0.5-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tctl-bash-completion-17.0.5-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tctl-bash-completion-17.0.5-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tctl-bash-completion-17.0.5-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tctl-bash-completion-17.0.5-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tctl-zsh-completion-17.0.5-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tctl-zsh-completion-17.0.5-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tctl-zsh-completion-17.0.5-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tctl-zsh-completion-17.0.5-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tsh-17.0.5-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tsh-17.0.5-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tsh-17.0.5-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tsh-17.0.5-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tsh-bash-completion-17.0.5-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tsh-bash-completion-17.0.5-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tsh-bash-completion-17.0.5-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tsh-bash-completion-17.0.5-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tsh-zsh-completion-17.0.5-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tsh-zsh-completion-17.0.5-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tsh-zsh-completion-17.0.5-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-tsh-zsh-completion-17.0.5-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-zsh-completion-17.0.5-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-zsh-completion-17.0.5-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-zsh-completion-17.0.5-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:teleport-zsh-completion-17.0.5-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
5 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "teleport-17.0.5-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the teleport-17.0.5-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-14573",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_14573-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-45337 page",
"url": "https://www.suse.com/security/cve/CVE-2024-45337/"
}
],
"title": "teleport-17.0.5-1.1 on GA media",
"tracking": {
"current_release_date": "2024-12-12T00:00:00Z",
"generator": {
"date": "2024-12-12T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:14573-1",
"initial_release_date": "2024-12-12T00:00:00Z",
"revision_history": [
{
"date": "2024-12-12T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "teleport-17.0.5-1.1.aarch64",
"product": {
"name": "teleport-17.0.5-1.1.aarch64",
"product_id": "teleport-17.0.5-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "teleport-bash-completion-17.0.5-1.1.aarch64",
"product": {
"name": "teleport-bash-completion-17.0.5-1.1.aarch64",
"product_id": "teleport-bash-completion-17.0.5-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "teleport-fdpass-teleport-17.0.5-1.1.aarch64",
"product": {
"name": "teleport-fdpass-teleport-17.0.5-1.1.aarch64",
"product_id": "teleport-fdpass-teleport-17.0.5-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "teleport-tbot-17.0.5-1.1.aarch64",
"product": {
"name": "teleport-tbot-17.0.5-1.1.aarch64",
"product_id": "teleport-tbot-17.0.5-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "teleport-tbot-bash-completion-17.0.5-1.1.aarch64",
"product": {
"name": "teleport-tbot-bash-completion-17.0.5-1.1.aarch64",
"product_id": "teleport-tbot-bash-completion-17.0.5-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "teleport-tbot-zsh-completion-17.0.5-1.1.aarch64",
"product": {
"name": "teleport-tbot-zsh-completion-17.0.5-1.1.aarch64",
"product_id": "teleport-tbot-zsh-completion-17.0.5-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "teleport-tctl-17.0.5-1.1.aarch64",
"product": {
"name": "teleport-tctl-17.0.5-1.1.aarch64",
"product_id": "teleport-tctl-17.0.5-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "teleport-tctl-bash-completion-17.0.5-1.1.aarch64",
"product": {
"name": "teleport-tctl-bash-completion-17.0.5-1.1.aarch64",
"product_id": "teleport-tctl-bash-completion-17.0.5-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "teleport-tctl-zsh-completion-17.0.5-1.1.aarch64",
"product": {
"name": "teleport-tctl-zsh-completion-17.0.5-1.1.aarch64",
"product_id": "teleport-tctl-zsh-completion-17.0.5-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "teleport-tsh-17.0.5-1.1.aarch64",
"product": {
"name": "teleport-tsh-17.0.5-1.1.aarch64",
"product_id": "teleport-tsh-17.0.5-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "teleport-tsh-bash-completion-17.0.5-1.1.aarch64",
"product": {
"name": "teleport-tsh-bash-completion-17.0.5-1.1.aarch64",
"product_id": "teleport-tsh-bash-completion-17.0.5-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "teleport-tsh-zsh-completion-17.0.5-1.1.aarch64",
"product": {
"name": "teleport-tsh-zsh-completion-17.0.5-1.1.aarch64",
"product_id": "teleport-tsh-zsh-completion-17.0.5-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "teleport-zsh-completion-17.0.5-1.1.aarch64",
"product": {
"name": "teleport-zsh-completion-17.0.5-1.1.aarch64",
"product_id": "teleport-zsh-completion-17.0.5-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "teleport-17.0.5-1.1.ppc64le",
"product": {
"name": "teleport-17.0.5-1.1.ppc64le",
"product_id": "teleport-17.0.5-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "teleport-bash-completion-17.0.5-1.1.ppc64le",
"product": {
"name": "teleport-bash-completion-17.0.5-1.1.ppc64le",
"product_id": "teleport-bash-completion-17.0.5-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "teleport-fdpass-teleport-17.0.5-1.1.ppc64le",
"product": {
"name": "teleport-fdpass-teleport-17.0.5-1.1.ppc64le",
"product_id": "teleport-fdpass-teleport-17.0.5-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "teleport-tbot-17.0.5-1.1.ppc64le",
"product": {
"name": "teleport-tbot-17.0.5-1.1.ppc64le",
"product_id": "teleport-tbot-17.0.5-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "teleport-tbot-bash-completion-17.0.5-1.1.ppc64le",
"product": {
"name": "teleport-tbot-bash-completion-17.0.5-1.1.ppc64le",
"product_id": "teleport-tbot-bash-completion-17.0.5-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "teleport-tbot-zsh-completion-17.0.5-1.1.ppc64le",
"product": {
"name": "teleport-tbot-zsh-completion-17.0.5-1.1.ppc64le",
"product_id": "teleport-tbot-zsh-completion-17.0.5-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "teleport-tctl-17.0.5-1.1.ppc64le",
"product": {
"name": "teleport-tctl-17.0.5-1.1.ppc64le",
"product_id": "teleport-tctl-17.0.5-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "teleport-tctl-bash-completion-17.0.5-1.1.ppc64le",
"product": {
"name": "teleport-tctl-bash-completion-17.0.5-1.1.ppc64le",
"product_id": "teleport-tctl-bash-completion-17.0.5-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "teleport-tctl-zsh-completion-17.0.5-1.1.ppc64le",
"product": {
"name": "teleport-tctl-zsh-completion-17.0.5-1.1.ppc64le",
"product_id": "teleport-tctl-zsh-completion-17.0.5-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "teleport-tsh-17.0.5-1.1.ppc64le",
"product": {
"name": "teleport-tsh-17.0.5-1.1.ppc64le",
"product_id": "teleport-tsh-17.0.5-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "teleport-tsh-bash-completion-17.0.5-1.1.ppc64le",
"product": {
"name": "teleport-tsh-bash-completion-17.0.5-1.1.ppc64le",
"product_id": "teleport-tsh-bash-completion-17.0.5-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "teleport-tsh-zsh-completion-17.0.5-1.1.ppc64le",
"product": {
"name": "teleport-tsh-zsh-completion-17.0.5-1.1.ppc64le",
"product_id": "teleport-tsh-zsh-completion-17.0.5-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "teleport-zsh-completion-17.0.5-1.1.ppc64le",
"product": {
"name": "teleport-zsh-completion-17.0.5-1.1.ppc64le",
"product_id": "teleport-zsh-completion-17.0.5-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "teleport-17.0.5-1.1.s390x",
"product": {
"name": "teleport-17.0.5-1.1.s390x",
"product_id": "teleport-17.0.5-1.1.s390x"
}
},
{
"category": "product_version",
"name": "teleport-bash-completion-17.0.5-1.1.s390x",
"product": {
"name": "teleport-bash-completion-17.0.5-1.1.s390x",
"product_id": "teleport-bash-completion-17.0.5-1.1.s390x"
}
},
{
"category": "product_version",
"name": "teleport-fdpass-teleport-17.0.5-1.1.s390x",
"product": {
"name": "teleport-fdpass-teleport-17.0.5-1.1.s390x",
"product_id": "teleport-fdpass-teleport-17.0.5-1.1.s390x"
}
},
{
"category": "product_version",
"name": "teleport-tbot-17.0.5-1.1.s390x",
"product": {
"name": "teleport-tbot-17.0.5-1.1.s390x",
"product_id": "teleport-tbot-17.0.5-1.1.s390x"
}
},
{
"category": "product_version",
"name": "teleport-tbot-bash-completion-17.0.5-1.1.s390x",
"product": {
"name": "teleport-tbot-bash-completion-17.0.5-1.1.s390x",
"product_id": "teleport-tbot-bash-completion-17.0.5-1.1.s390x"
}
},
{
"category": "product_version",
"name": "teleport-tbot-zsh-completion-17.0.5-1.1.s390x",
"product": {
"name": "teleport-tbot-zsh-completion-17.0.5-1.1.s390x",
"product_id": "teleport-tbot-zsh-completion-17.0.5-1.1.s390x"
}
},
{
"category": "product_version",
"name": "teleport-tctl-17.0.5-1.1.s390x",
"product": {
"name": "teleport-tctl-17.0.5-1.1.s390x",
"product_id": "teleport-tctl-17.0.5-1.1.s390x"
}
},
{
"category": "product_version",
"name": "teleport-tctl-bash-completion-17.0.5-1.1.s390x",
"product": {
"name": "teleport-tctl-bash-completion-17.0.5-1.1.s390x",
"product_id": "teleport-tctl-bash-completion-17.0.5-1.1.s390x"
}
},
{
"category": "product_version",
"name": "teleport-tctl-zsh-completion-17.0.5-1.1.s390x",
"product": {
"name": "teleport-tctl-zsh-completion-17.0.5-1.1.s390x",
"product_id": "teleport-tctl-zsh-completion-17.0.5-1.1.s390x"
}
},
{
"category": "product_version",
"name": "teleport-tsh-17.0.5-1.1.s390x",
"product": {
"name": "teleport-tsh-17.0.5-1.1.s390x",
"product_id": "teleport-tsh-17.0.5-1.1.s390x"
}
},
{
"category": "product_version",
"name": "teleport-tsh-bash-completion-17.0.5-1.1.s390x",
"product": {
"name": "teleport-tsh-bash-completion-17.0.5-1.1.s390x",
"product_id": "teleport-tsh-bash-completion-17.0.5-1.1.s390x"
}
},
{
"category": "product_version",
"name": "teleport-tsh-zsh-completion-17.0.5-1.1.s390x",
"product": {
"name": "teleport-tsh-zsh-completion-17.0.5-1.1.s390x",
"product_id": "teleport-tsh-zsh-completion-17.0.5-1.1.s390x"
}
},
{
"category": "product_version",
"name": "teleport-zsh-completion-17.0.5-1.1.s390x",
"product": {
"name": "teleport-zsh-completion-17.0.5-1.1.s390x",
"product_id": "teleport-zsh-completion-17.0.5-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "teleport-17.0.5-1.1.x86_64",
"product": {
"name": "teleport-17.0.5-1.1.x86_64",
"product_id": "teleport-17.0.5-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "teleport-bash-completion-17.0.5-1.1.x86_64",
"product": {
"name": "teleport-bash-completion-17.0.5-1.1.x86_64",
"product_id": "teleport-bash-completion-17.0.5-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "teleport-fdpass-teleport-17.0.5-1.1.x86_64",
"product": {
"name": "teleport-fdpass-teleport-17.0.5-1.1.x86_64",
"product_id": "teleport-fdpass-teleport-17.0.5-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "teleport-tbot-17.0.5-1.1.x86_64",
"product": {
"name": "teleport-tbot-17.0.5-1.1.x86_64",
"product_id": "teleport-tbot-17.0.5-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "teleport-tbot-bash-completion-17.0.5-1.1.x86_64",
"product": {
"name": "teleport-tbot-bash-completion-17.0.5-1.1.x86_64",
"product_id": "teleport-tbot-bash-completion-17.0.5-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "teleport-tbot-zsh-completion-17.0.5-1.1.x86_64",
"product": {
"name": "teleport-tbot-zsh-completion-17.0.5-1.1.x86_64",
"product_id": "teleport-tbot-zsh-completion-17.0.5-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "teleport-tctl-17.0.5-1.1.x86_64",
"product": {
"name": "teleport-tctl-17.0.5-1.1.x86_64",
"product_id": "teleport-tctl-17.0.5-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "teleport-tctl-bash-completion-17.0.5-1.1.x86_64",
"product": {
"name": "teleport-tctl-bash-completion-17.0.5-1.1.x86_64",
"product_id": "teleport-tctl-bash-completion-17.0.5-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "teleport-tctl-zsh-completion-17.0.5-1.1.x86_64",
"product": {
"name": "teleport-tctl-zsh-completion-17.0.5-1.1.x86_64",
"product_id": "teleport-tctl-zsh-completion-17.0.5-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "teleport-tsh-17.0.5-1.1.x86_64",
"product": {
"name": "teleport-tsh-17.0.5-1.1.x86_64",
"product_id": "teleport-tsh-17.0.5-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "teleport-tsh-bash-completion-17.0.5-1.1.x86_64",
"product": {
"name": "teleport-tsh-bash-completion-17.0.5-1.1.x86_64",
"product_id": "teleport-tsh-bash-completion-17.0.5-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "teleport-tsh-zsh-completion-17.0.5-1.1.x86_64",
"product": {
"name": "teleport-tsh-zsh-completion-17.0.5-1.1.x86_64",
"product_id": "teleport-tsh-zsh-completion-17.0.5-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "teleport-zsh-completion-17.0.5-1.1.x86_64",
"product": {
"name": "teleport-zsh-completion-17.0.5-1.1.x86_64",
"product_id": "teleport-zsh-completion-17.0.5-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-17.0.5-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-17.0.5-1.1.aarch64"
},
"product_reference": "teleport-17.0.5-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-17.0.5-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-17.0.5-1.1.ppc64le"
},
"product_reference": "teleport-17.0.5-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-17.0.5-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-17.0.5-1.1.s390x"
},
"product_reference": "teleport-17.0.5-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-17.0.5-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-17.0.5-1.1.x86_64"
},
"product_reference": "teleport-17.0.5-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-bash-completion-17.0.5-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-bash-completion-17.0.5-1.1.aarch64"
},
"product_reference": "teleport-bash-completion-17.0.5-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-bash-completion-17.0.5-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-bash-completion-17.0.5-1.1.ppc64le"
},
"product_reference": "teleport-bash-completion-17.0.5-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-bash-completion-17.0.5-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-bash-completion-17.0.5-1.1.s390x"
},
"product_reference": "teleport-bash-completion-17.0.5-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-bash-completion-17.0.5-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-bash-completion-17.0.5-1.1.x86_64"
},
"product_reference": "teleport-bash-completion-17.0.5-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-fdpass-teleport-17.0.5-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-fdpass-teleport-17.0.5-1.1.aarch64"
},
"product_reference": "teleport-fdpass-teleport-17.0.5-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-fdpass-teleport-17.0.5-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-fdpass-teleport-17.0.5-1.1.ppc64le"
},
"product_reference": "teleport-fdpass-teleport-17.0.5-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-fdpass-teleport-17.0.5-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-fdpass-teleport-17.0.5-1.1.s390x"
},
"product_reference": "teleport-fdpass-teleport-17.0.5-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-fdpass-teleport-17.0.5-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-fdpass-teleport-17.0.5-1.1.x86_64"
},
"product_reference": "teleport-fdpass-teleport-17.0.5-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-tbot-17.0.5-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-tbot-17.0.5-1.1.aarch64"
},
"product_reference": "teleport-tbot-17.0.5-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-tbot-17.0.5-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-tbot-17.0.5-1.1.ppc64le"
},
"product_reference": "teleport-tbot-17.0.5-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-tbot-17.0.5-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-tbot-17.0.5-1.1.s390x"
},
"product_reference": "teleport-tbot-17.0.5-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-tbot-17.0.5-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-tbot-17.0.5-1.1.x86_64"
},
"product_reference": "teleport-tbot-17.0.5-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-tbot-bash-completion-17.0.5-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-tbot-bash-completion-17.0.5-1.1.aarch64"
},
"product_reference": "teleport-tbot-bash-completion-17.0.5-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-tbot-bash-completion-17.0.5-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-tbot-bash-completion-17.0.5-1.1.ppc64le"
},
"product_reference": "teleport-tbot-bash-completion-17.0.5-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-tbot-bash-completion-17.0.5-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-tbot-bash-completion-17.0.5-1.1.s390x"
},
"product_reference": "teleport-tbot-bash-completion-17.0.5-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-tbot-bash-completion-17.0.5-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-tbot-bash-completion-17.0.5-1.1.x86_64"
},
"product_reference": "teleport-tbot-bash-completion-17.0.5-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-tbot-zsh-completion-17.0.5-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-tbot-zsh-completion-17.0.5-1.1.aarch64"
},
"product_reference": "teleport-tbot-zsh-completion-17.0.5-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-tbot-zsh-completion-17.0.5-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-tbot-zsh-completion-17.0.5-1.1.ppc64le"
},
"product_reference": "teleport-tbot-zsh-completion-17.0.5-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-tbot-zsh-completion-17.0.5-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-tbot-zsh-completion-17.0.5-1.1.s390x"
},
"product_reference": "teleport-tbot-zsh-completion-17.0.5-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-tbot-zsh-completion-17.0.5-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-tbot-zsh-completion-17.0.5-1.1.x86_64"
},
"product_reference": "teleport-tbot-zsh-completion-17.0.5-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-tctl-17.0.5-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-tctl-17.0.5-1.1.aarch64"
},
"product_reference": "teleport-tctl-17.0.5-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-tctl-17.0.5-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-tctl-17.0.5-1.1.ppc64le"
},
"product_reference": "teleport-tctl-17.0.5-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-tctl-17.0.5-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-tctl-17.0.5-1.1.s390x"
},
"product_reference": "teleport-tctl-17.0.5-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-tctl-17.0.5-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-tctl-17.0.5-1.1.x86_64"
},
"product_reference": "teleport-tctl-17.0.5-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-tctl-bash-completion-17.0.5-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-tctl-bash-completion-17.0.5-1.1.aarch64"
},
"product_reference": "teleport-tctl-bash-completion-17.0.5-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-tctl-bash-completion-17.0.5-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-tctl-bash-completion-17.0.5-1.1.ppc64le"
},
"product_reference": "teleport-tctl-bash-completion-17.0.5-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-tctl-bash-completion-17.0.5-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-tctl-bash-completion-17.0.5-1.1.s390x"
},
"product_reference": "teleport-tctl-bash-completion-17.0.5-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-tctl-bash-completion-17.0.5-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-tctl-bash-completion-17.0.5-1.1.x86_64"
},
"product_reference": "teleport-tctl-bash-completion-17.0.5-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-tctl-zsh-completion-17.0.5-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-tctl-zsh-completion-17.0.5-1.1.aarch64"
},
"product_reference": "teleport-tctl-zsh-completion-17.0.5-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-tctl-zsh-completion-17.0.5-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-tctl-zsh-completion-17.0.5-1.1.ppc64le"
},
"product_reference": "teleport-tctl-zsh-completion-17.0.5-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-tctl-zsh-completion-17.0.5-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-tctl-zsh-completion-17.0.5-1.1.s390x"
},
"product_reference": "teleport-tctl-zsh-completion-17.0.5-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-tctl-zsh-completion-17.0.5-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-tctl-zsh-completion-17.0.5-1.1.x86_64"
},
"product_reference": "teleport-tctl-zsh-completion-17.0.5-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-tsh-17.0.5-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-tsh-17.0.5-1.1.aarch64"
},
"product_reference": "teleport-tsh-17.0.5-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-tsh-17.0.5-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-tsh-17.0.5-1.1.ppc64le"
},
"product_reference": "teleport-tsh-17.0.5-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-tsh-17.0.5-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-tsh-17.0.5-1.1.s390x"
},
"product_reference": "teleport-tsh-17.0.5-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-tsh-17.0.5-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-tsh-17.0.5-1.1.x86_64"
},
"product_reference": "teleport-tsh-17.0.5-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-tsh-bash-completion-17.0.5-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-tsh-bash-completion-17.0.5-1.1.aarch64"
},
"product_reference": "teleport-tsh-bash-completion-17.0.5-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-tsh-bash-completion-17.0.5-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-tsh-bash-completion-17.0.5-1.1.ppc64le"
},
"product_reference": "teleport-tsh-bash-completion-17.0.5-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-tsh-bash-completion-17.0.5-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-tsh-bash-completion-17.0.5-1.1.s390x"
},
"product_reference": "teleport-tsh-bash-completion-17.0.5-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-tsh-bash-completion-17.0.5-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-tsh-bash-completion-17.0.5-1.1.x86_64"
},
"product_reference": "teleport-tsh-bash-completion-17.0.5-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-tsh-zsh-completion-17.0.5-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-tsh-zsh-completion-17.0.5-1.1.aarch64"
},
"product_reference": "teleport-tsh-zsh-completion-17.0.5-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-tsh-zsh-completion-17.0.5-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-tsh-zsh-completion-17.0.5-1.1.ppc64le"
},
"product_reference": "teleport-tsh-zsh-completion-17.0.5-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-tsh-zsh-completion-17.0.5-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-tsh-zsh-completion-17.0.5-1.1.s390x"
},
"product_reference": "teleport-tsh-zsh-completion-17.0.5-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-tsh-zsh-completion-17.0.5-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-tsh-zsh-completion-17.0.5-1.1.x86_64"
},
"product_reference": "teleport-tsh-zsh-completion-17.0.5-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-zsh-completion-17.0.5-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-zsh-completion-17.0.5-1.1.aarch64"
},
"product_reference": "teleport-zsh-completion-17.0.5-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-zsh-completion-17.0.5-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-zsh-completion-17.0.5-1.1.ppc64le"
},
"product_reference": "teleport-zsh-completion-17.0.5-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-zsh-completion-17.0.5-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-zsh-completion-17.0.5-1.1.s390x"
},
"product_reference": "teleport-zsh-completion-17.0.5-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "teleport-zsh-completion-17.0.5-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:teleport-zsh-completion-17.0.5-1.1.x86_64"
},
"product_reference": "teleport-zsh-completion-17.0.5-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-45337",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-45337"
}
],
"notes": [
{
"category": "general",
"text": "Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that \"A call to this function does not guarantee that the key offered is in fact used to authenticate.\" Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/cry...@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:teleport-17.0.5-1.1.aarch64",
"openSUSE Tumbleweed:teleport-17.0.5-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-17.0.5-1.1.s390x",
"openSUSE Tumbleweed:teleport-17.0.5-1.1.x86_64",
"openSUSE Tumbleweed:teleport-bash-completion-17.0.5-1.1.aarch64",
"openSUSE Tumbleweed:teleport-bash-completion-17.0.5-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-bash-completion-17.0.5-1.1.s390x",
"openSUSE Tumbleweed:teleport-bash-completion-17.0.5-1.1.x86_64",
"openSUSE Tumbleweed:teleport-fdpass-teleport-17.0.5-1.1.aarch64",
"openSUSE Tumbleweed:teleport-fdpass-teleport-17.0.5-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-fdpass-teleport-17.0.5-1.1.s390x",
"openSUSE Tumbleweed:teleport-fdpass-teleport-17.0.5-1.1.x86_64",
"openSUSE Tumbleweed:teleport-tbot-17.0.5-1.1.aarch64",
"openSUSE Tumbleweed:teleport-tbot-17.0.5-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-tbot-17.0.5-1.1.s390x",
"openSUSE Tumbleweed:teleport-tbot-17.0.5-1.1.x86_64",
"openSUSE Tumbleweed:teleport-tbot-bash-completion-17.0.5-1.1.aarch64",
"openSUSE Tumbleweed:teleport-tbot-bash-completion-17.0.5-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-tbot-bash-completion-17.0.5-1.1.s390x",
"openSUSE Tumbleweed:teleport-tbot-bash-completion-17.0.5-1.1.x86_64",
"openSUSE Tumbleweed:teleport-tbot-zsh-completion-17.0.5-1.1.aarch64",
"openSUSE Tumbleweed:teleport-tbot-zsh-completion-17.0.5-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-tbot-zsh-completion-17.0.5-1.1.s390x",
"openSUSE Tumbleweed:teleport-tbot-zsh-completion-17.0.5-1.1.x86_64",
"openSUSE Tumbleweed:teleport-tctl-17.0.5-1.1.aarch64",
"openSUSE Tumbleweed:teleport-tctl-17.0.5-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-tctl-17.0.5-1.1.s390x",
"openSUSE Tumbleweed:teleport-tctl-17.0.5-1.1.x86_64",
"openSUSE Tumbleweed:teleport-tctl-bash-completion-17.0.5-1.1.aarch64",
"openSUSE Tumbleweed:teleport-tctl-bash-completion-17.0.5-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-tctl-bash-completion-17.0.5-1.1.s390x",
"openSUSE Tumbleweed:teleport-tctl-bash-completion-17.0.5-1.1.x86_64",
"openSUSE Tumbleweed:teleport-tctl-zsh-completion-17.0.5-1.1.aarch64",
"openSUSE Tumbleweed:teleport-tctl-zsh-completion-17.0.5-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-tctl-zsh-completion-17.0.5-1.1.s390x",
"openSUSE Tumbleweed:teleport-tctl-zsh-completion-17.0.5-1.1.x86_64",
"openSUSE Tumbleweed:teleport-tsh-17.0.5-1.1.aarch64",
"openSUSE Tumbleweed:teleport-tsh-17.0.5-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-tsh-17.0.5-1.1.s390x",
"openSUSE Tumbleweed:teleport-tsh-17.0.5-1.1.x86_64",
"openSUSE Tumbleweed:teleport-tsh-bash-completion-17.0.5-1.1.aarch64",
"openSUSE Tumbleweed:teleport-tsh-bash-completion-17.0.5-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-tsh-bash-completion-17.0.5-1.1.s390x",
"openSUSE Tumbleweed:teleport-tsh-bash-completion-17.0.5-1.1.x86_64",
"openSUSE Tumbleweed:teleport-tsh-zsh-completion-17.0.5-1.1.aarch64",
"openSUSE Tumbleweed:teleport-tsh-zsh-completion-17.0.5-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-tsh-zsh-completion-17.0.5-1.1.s390x",
"openSUSE Tumbleweed:teleport-tsh-zsh-completion-17.0.5-1.1.x86_64",
"openSUSE Tumbleweed:teleport-zsh-completion-17.0.5-1.1.aarch64",
"openSUSE Tumbleweed:teleport-zsh-completion-17.0.5-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-zsh-completion-17.0.5-1.1.s390x",
"openSUSE Tumbleweed:teleport-zsh-completion-17.0.5-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-45337",
"url": "https://www.suse.com/security/cve/CVE-2024-45337"
},
{
"category": "external",
"summary": "SUSE Bug 1234482 for CVE-2024-45337",
"url": "https://bugzilla.suse.com/1234482"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:teleport-17.0.5-1.1.aarch64",
"openSUSE Tumbleweed:teleport-17.0.5-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-17.0.5-1.1.s390x",
"openSUSE Tumbleweed:teleport-17.0.5-1.1.x86_64",
"openSUSE Tumbleweed:teleport-bash-completion-17.0.5-1.1.aarch64",
"openSUSE Tumbleweed:teleport-bash-completion-17.0.5-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-bash-completion-17.0.5-1.1.s390x",
"openSUSE Tumbleweed:teleport-bash-completion-17.0.5-1.1.x86_64",
"openSUSE Tumbleweed:teleport-fdpass-teleport-17.0.5-1.1.aarch64",
"openSUSE Tumbleweed:teleport-fdpass-teleport-17.0.5-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-fdpass-teleport-17.0.5-1.1.s390x",
"openSUSE Tumbleweed:teleport-fdpass-teleport-17.0.5-1.1.x86_64",
"openSUSE Tumbleweed:teleport-tbot-17.0.5-1.1.aarch64",
"openSUSE Tumbleweed:teleport-tbot-17.0.5-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-tbot-17.0.5-1.1.s390x",
"openSUSE Tumbleweed:teleport-tbot-17.0.5-1.1.x86_64",
"openSUSE Tumbleweed:teleport-tbot-bash-completion-17.0.5-1.1.aarch64",
"openSUSE Tumbleweed:teleport-tbot-bash-completion-17.0.5-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-tbot-bash-completion-17.0.5-1.1.s390x",
"openSUSE Tumbleweed:teleport-tbot-bash-completion-17.0.5-1.1.x86_64",
"openSUSE Tumbleweed:teleport-tbot-zsh-completion-17.0.5-1.1.aarch64",
"openSUSE Tumbleweed:teleport-tbot-zsh-completion-17.0.5-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-tbot-zsh-completion-17.0.5-1.1.s390x",
"openSUSE Tumbleweed:teleport-tbot-zsh-completion-17.0.5-1.1.x86_64",
"openSUSE Tumbleweed:teleport-tctl-17.0.5-1.1.aarch64",
"openSUSE Tumbleweed:teleport-tctl-17.0.5-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-tctl-17.0.5-1.1.s390x",
"openSUSE Tumbleweed:teleport-tctl-17.0.5-1.1.x86_64",
"openSUSE Tumbleweed:teleport-tctl-bash-completion-17.0.5-1.1.aarch64",
"openSUSE Tumbleweed:teleport-tctl-bash-completion-17.0.5-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-tctl-bash-completion-17.0.5-1.1.s390x",
"openSUSE Tumbleweed:teleport-tctl-bash-completion-17.0.5-1.1.x86_64",
"openSUSE Tumbleweed:teleport-tctl-zsh-completion-17.0.5-1.1.aarch64",
"openSUSE Tumbleweed:teleport-tctl-zsh-completion-17.0.5-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-tctl-zsh-completion-17.0.5-1.1.s390x",
"openSUSE Tumbleweed:teleport-tctl-zsh-completion-17.0.5-1.1.x86_64",
"openSUSE Tumbleweed:teleport-tsh-17.0.5-1.1.aarch64",
"openSUSE Tumbleweed:teleport-tsh-17.0.5-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-tsh-17.0.5-1.1.s390x",
"openSUSE Tumbleweed:teleport-tsh-17.0.5-1.1.x86_64",
"openSUSE Tumbleweed:teleport-tsh-bash-completion-17.0.5-1.1.aarch64",
"openSUSE Tumbleweed:teleport-tsh-bash-completion-17.0.5-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-tsh-bash-completion-17.0.5-1.1.s390x",
"openSUSE Tumbleweed:teleport-tsh-bash-completion-17.0.5-1.1.x86_64",
"openSUSE Tumbleweed:teleport-tsh-zsh-completion-17.0.5-1.1.aarch64",
"openSUSE Tumbleweed:teleport-tsh-zsh-completion-17.0.5-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-tsh-zsh-completion-17.0.5-1.1.s390x",
"openSUSE Tumbleweed:teleport-tsh-zsh-completion-17.0.5-1.1.x86_64",
"openSUSE Tumbleweed:teleport-zsh-completion-17.0.5-1.1.aarch64",
"openSUSE Tumbleweed:teleport-zsh-completion-17.0.5-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-zsh-completion-17.0.5-1.1.s390x",
"openSUSE Tumbleweed:teleport-zsh-completion-17.0.5-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:teleport-17.0.5-1.1.aarch64",
"openSUSE Tumbleweed:teleport-17.0.5-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-17.0.5-1.1.s390x",
"openSUSE Tumbleweed:teleport-17.0.5-1.1.x86_64",
"openSUSE Tumbleweed:teleport-bash-completion-17.0.5-1.1.aarch64",
"openSUSE Tumbleweed:teleport-bash-completion-17.0.5-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-bash-completion-17.0.5-1.1.s390x",
"openSUSE Tumbleweed:teleport-bash-completion-17.0.5-1.1.x86_64",
"openSUSE Tumbleweed:teleport-fdpass-teleport-17.0.5-1.1.aarch64",
"openSUSE Tumbleweed:teleport-fdpass-teleport-17.0.5-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-fdpass-teleport-17.0.5-1.1.s390x",
"openSUSE Tumbleweed:teleport-fdpass-teleport-17.0.5-1.1.x86_64",
"openSUSE Tumbleweed:teleport-tbot-17.0.5-1.1.aarch64",
"openSUSE Tumbleweed:teleport-tbot-17.0.5-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-tbot-17.0.5-1.1.s390x",
"openSUSE Tumbleweed:teleport-tbot-17.0.5-1.1.x86_64",
"openSUSE Tumbleweed:teleport-tbot-bash-completion-17.0.5-1.1.aarch64",
"openSUSE Tumbleweed:teleport-tbot-bash-completion-17.0.5-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-tbot-bash-completion-17.0.5-1.1.s390x",
"openSUSE Tumbleweed:teleport-tbot-bash-completion-17.0.5-1.1.x86_64",
"openSUSE Tumbleweed:teleport-tbot-zsh-completion-17.0.5-1.1.aarch64",
"openSUSE Tumbleweed:teleport-tbot-zsh-completion-17.0.5-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-tbot-zsh-completion-17.0.5-1.1.s390x",
"openSUSE Tumbleweed:teleport-tbot-zsh-completion-17.0.5-1.1.x86_64",
"openSUSE Tumbleweed:teleport-tctl-17.0.5-1.1.aarch64",
"openSUSE Tumbleweed:teleport-tctl-17.0.5-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-tctl-17.0.5-1.1.s390x",
"openSUSE Tumbleweed:teleport-tctl-17.0.5-1.1.x86_64",
"openSUSE Tumbleweed:teleport-tctl-bash-completion-17.0.5-1.1.aarch64",
"openSUSE Tumbleweed:teleport-tctl-bash-completion-17.0.5-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-tctl-bash-completion-17.0.5-1.1.s390x",
"openSUSE Tumbleweed:teleport-tctl-bash-completion-17.0.5-1.1.x86_64",
"openSUSE Tumbleweed:teleport-tctl-zsh-completion-17.0.5-1.1.aarch64",
"openSUSE Tumbleweed:teleport-tctl-zsh-completion-17.0.5-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-tctl-zsh-completion-17.0.5-1.1.s390x",
"openSUSE Tumbleweed:teleport-tctl-zsh-completion-17.0.5-1.1.x86_64",
"openSUSE Tumbleweed:teleport-tsh-17.0.5-1.1.aarch64",
"openSUSE Tumbleweed:teleport-tsh-17.0.5-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-tsh-17.0.5-1.1.s390x",
"openSUSE Tumbleweed:teleport-tsh-17.0.5-1.1.x86_64",
"openSUSE Tumbleweed:teleport-tsh-bash-completion-17.0.5-1.1.aarch64",
"openSUSE Tumbleweed:teleport-tsh-bash-completion-17.0.5-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-tsh-bash-completion-17.0.5-1.1.s390x",
"openSUSE Tumbleweed:teleport-tsh-bash-completion-17.0.5-1.1.x86_64",
"openSUSE Tumbleweed:teleport-tsh-zsh-completion-17.0.5-1.1.aarch64",
"openSUSE Tumbleweed:teleport-tsh-zsh-completion-17.0.5-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-tsh-zsh-completion-17.0.5-1.1.s390x",
"openSUSE Tumbleweed:teleport-tsh-zsh-completion-17.0.5-1.1.x86_64",
"openSUSE Tumbleweed:teleport-zsh-completion-17.0.5-1.1.aarch64",
"openSUSE Tumbleweed:teleport-zsh-completion-17.0.5-1.1.ppc64le",
"openSUSE Tumbleweed:teleport-zsh-completion-17.0.5-1.1.s390x",
"openSUSE Tumbleweed:teleport-zsh-completion-17.0.5-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-12-12T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2024-45337"
}
]
}
OPENSUSE-SU-2024:14585-1
Vulnerability from csaf_opensuse - Published: 2024-12-16 00:00 - Updated: 2024-12-16 00:00Summary
cloudflared-2024.12.1-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: cloudflared-2024.12.1-1.1 on GA media
Description of the patch: These are all security issues fixed in the cloudflared-2024.12.1-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-14585
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
8.1 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:cloudflared-2024.12.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cloudflared-2024.12.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cloudflared-2024.12.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:cloudflared-2024.12.1-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
7 references
| URL | Category |
|---|---|
| https://www.suse.com/support/security/rating/ | external |
| https://ftp.suse.com/pub/projects/security/csaf/o… | self |
| https://lists.opensuse.org/archives/list/security… | self |
| https://lists.opensuse.org/archives/list/security… | self |
| https://www.suse.com/security/cve/CVE-2024-45337/ | self |
| https://www.suse.com/security/cve/CVE-2024-45337 | external |
| https://bugzilla.suse.com/1234482 | external |
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "cloudflared-2024.12.1-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the cloudflared-2024.12.1-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-14585",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_14585-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2024:14585-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3VJBDKTY25NRJXFRK6QZSRH6ZRBUV2UT/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2024:14585-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3VJBDKTY25NRJXFRK6QZSRH6ZRBUV2UT/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-45337 page",
"url": "https://www.suse.com/security/cve/CVE-2024-45337/"
}
],
"title": "cloudflared-2024.12.1-1.1 on GA media",
"tracking": {
"current_release_date": "2024-12-16T00:00:00Z",
"generator": {
"date": "2024-12-16T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:14585-1",
"initial_release_date": "2024-12-16T00:00:00Z",
"revision_history": [
{
"date": "2024-12-16T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "cloudflared-2024.12.1-1.1.aarch64",
"product": {
"name": "cloudflared-2024.12.1-1.1.aarch64",
"product_id": "cloudflared-2024.12.1-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "cloudflared-2024.12.1-1.1.ppc64le",
"product": {
"name": "cloudflared-2024.12.1-1.1.ppc64le",
"product_id": "cloudflared-2024.12.1-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "cloudflared-2024.12.1-1.1.s390x",
"product": {
"name": "cloudflared-2024.12.1-1.1.s390x",
"product_id": "cloudflared-2024.12.1-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "cloudflared-2024.12.1-1.1.x86_64",
"product": {
"name": "cloudflared-2024.12.1-1.1.x86_64",
"product_id": "cloudflared-2024.12.1-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "cloudflared-2024.12.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:cloudflared-2024.12.1-1.1.aarch64"
},
"product_reference": "cloudflared-2024.12.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cloudflared-2024.12.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:cloudflared-2024.12.1-1.1.ppc64le"
},
"product_reference": "cloudflared-2024.12.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cloudflared-2024.12.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:cloudflared-2024.12.1-1.1.s390x"
},
"product_reference": "cloudflared-2024.12.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cloudflared-2024.12.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:cloudflared-2024.12.1-1.1.x86_64"
},
"product_reference": "cloudflared-2024.12.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-45337",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-45337"
}
],
"notes": [
{
"category": "general",
"text": "Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that \"A call to this function does not guarantee that the key offered is in fact used to authenticate.\" Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/cry...@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:cloudflared-2024.12.1-1.1.aarch64",
"openSUSE Tumbleweed:cloudflared-2024.12.1-1.1.ppc64le",
"openSUSE Tumbleweed:cloudflared-2024.12.1-1.1.s390x",
"openSUSE Tumbleweed:cloudflared-2024.12.1-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-45337",
"url": "https://www.suse.com/security/cve/CVE-2024-45337"
},
{
"category": "external",
"summary": "SUSE Bug 1234482 for CVE-2024-45337",
"url": "https://bugzilla.suse.com/1234482"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:cloudflared-2024.12.1-1.1.aarch64",
"openSUSE Tumbleweed:cloudflared-2024.12.1-1.1.ppc64le",
"openSUSE Tumbleweed:cloudflared-2024.12.1-1.1.s390x",
"openSUSE Tumbleweed:cloudflared-2024.12.1-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:cloudflared-2024.12.1-1.1.aarch64",
"openSUSE Tumbleweed:cloudflared-2024.12.1-1.1.ppc64le",
"openSUSE Tumbleweed:cloudflared-2024.12.1-1.1.s390x",
"openSUSE Tumbleweed:cloudflared-2024.12.1-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-12-16T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2024-45337"
}
]
}
OPENSUSE-SU-2024:14590-1
Vulnerability from csaf_opensuse - Published: 2024-12-16 00:00 - Updated: 2024-12-16 00:00Summary
traefik-3.2.3-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: traefik-3.2.3-1.1 on GA media
Description of the patch: These are all security issues fixed in the traefik-3.2.3-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-14590
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
8.1 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:traefik-3.2.3-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:traefik-3.2.3-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:traefik-3.2.3-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:traefik-3.2.3-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
7 references
| URL | Category |
|---|---|
| https://www.suse.com/support/security/rating/ | external |
| https://ftp.suse.com/pub/projects/security/csaf/o… | self |
| https://lists.opensuse.org/archives/list/security… | self |
| https://lists.opensuse.org/archives/list/security… | self |
| https://www.suse.com/security/cve/CVE-2024-45337/ | self |
| https://www.suse.com/security/cve/CVE-2024-45337 | external |
| https://bugzilla.suse.com/1234482 | external |
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "traefik-3.2.3-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the traefik-3.2.3-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-14590",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_14590-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2024:14590-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RFAKX3BHM5IEGVFZW5ORK472VJQ7GAKL/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2024:14590-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RFAKX3BHM5IEGVFZW5ORK472VJQ7GAKL/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-45337 page",
"url": "https://www.suse.com/security/cve/CVE-2024-45337/"
}
],
"title": "traefik-3.2.3-1.1 on GA media",
"tracking": {
"current_release_date": "2024-12-16T00:00:00Z",
"generator": {
"date": "2024-12-16T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:14590-1",
"initial_release_date": "2024-12-16T00:00:00Z",
"revision_history": [
{
"date": "2024-12-16T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "traefik-3.2.3-1.1.aarch64",
"product": {
"name": "traefik-3.2.3-1.1.aarch64",
"product_id": "traefik-3.2.3-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "traefik-3.2.3-1.1.ppc64le",
"product": {
"name": "traefik-3.2.3-1.1.ppc64le",
"product_id": "traefik-3.2.3-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "traefik-3.2.3-1.1.s390x",
"product": {
"name": "traefik-3.2.3-1.1.s390x",
"product_id": "traefik-3.2.3-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "traefik-3.2.3-1.1.x86_64",
"product": {
"name": "traefik-3.2.3-1.1.x86_64",
"product_id": "traefik-3.2.3-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "traefik-3.2.3-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:traefik-3.2.3-1.1.aarch64"
},
"product_reference": "traefik-3.2.3-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "traefik-3.2.3-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:traefik-3.2.3-1.1.ppc64le"
},
"product_reference": "traefik-3.2.3-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "traefik-3.2.3-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:traefik-3.2.3-1.1.s390x"
},
"product_reference": "traefik-3.2.3-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "traefik-3.2.3-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:traefik-3.2.3-1.1.x86_64"
},
"product_reference": "traefik-3.2.3-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-45337",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-45337"
}
],
"notes": [
{
"category": "general",
"text": "Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that \"A call to this function does not guarantee that the key offered is in fact used to authenticate.\" Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/cry...@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:traefik-3.2.3-1.1.aarch64",
"openSUSE Tumbleweed:traefik-3.2.3-1.1.ppc64le",
"openSUSE Tumbleweed:traefik-3.2.3-1.1.s390x",
"openSUSE Tumbleweed:traefik-3.2.3-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-45337",
"url": "https://www.suse.com/security/cve/CVE-2024-45337"
},
{
"category": "external",
"summary": "SUSE Bug 1234482 for CVE-2024-45337",
"url": "https://bugzilla.suse.com/1234482"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:traefik-3.2.3-1.1.aarch64",
"openSUSE Tumbleweed:traefik-3.2.3-1.1.ppc64le",
"openSUSE Tumbleweed:traefik-3.2.3-1.1.s390x",
"openSUSE Tumbleweed:traefik-3.2.3-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:traefik-3.2.3-1.1.aarch64",
"openSUSE Tumbleweed:traefik-3.2.3-1.1.ppc64le",
"openSUSE Tumbleweed:traefik-3.2.3-1.1.s390x",
"openSUSE Tumbleweed:traefik-3.2.3-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-12-16T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2024-45337"
}
]
}
OPENSUSE-SU-2024:14592-1
Vulnerability from csaf_opensuse - Published: 2024-12-17 00:00 - Updated: 2024-12-17 00:00Summary
git-bug-0.8.0+git.1733745604.d499b6e-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: git-bug-0.8.0+git.1733745604.d499b6e-1.1 on GA media
Description of the patch: These are all security issues fixed in the git-bug-0.8.0+git.1733745604.d499b6e-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-14592
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
8.1 (High)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:git-bug-0.8.0+git.1733745604.d499b6e-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:git-bug-0.8.0+git.1733745604.d499b6e-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:git-bug-0.8.0+git.1733745604.d499b6e-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:git-bug-0.8.0+git.1733745604.d499b6e-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:git-bug-bash-completion-0.8.0+git.1733745604.d499b6e-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:git-bug-bash-completion-0.8.0+git.1733745604.d499b6e-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:git-bug-bash-completion-0.8.0+git.1733745604.d499b6e-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:git-bug-bash-completion-0.8.0+git.1733745604.d499b6e-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:git-bug-fish-completion-0.8.0+git.1733745604.d499b6e-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:git-bug-fish-completion-0.8.0+git.1733745604.d499b6e-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:git-bug-fish-completion-0.8.0+git.1733745604.d499b6e-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:git-bug-fish-completion-0.8.0+git.1733745604.d499b6e-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:git-bug-zsh-completion-0.8.0+git.1733745604.d499b6e-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:git-bug-zsh-completion-0.8.0+git.1733745604.d499b6e-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:git-bug-zsh-completion-0.8.0+git.1733745604.d499b6e-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:git-bug-zsh-completion-0.8.0+git.1733745604.d499b6e-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
7 references
| URL | Category |
|---|---|
| https://www.suse.com/support/security/rating/ | external |
| https://ftp.suse.com/pub/projects/security/csaf/o… | self |
| https://lists.opensuse.org/archives/list/security… | self |
| https://lists.opensuse.org/archives/list/security… | self |
| https://www.suse.com/security/cve/CVE-2024-45337/ | self |
| https://www.suse.com/security/cve/CVE-2024-45337 | external |
| https://bugzilla.suse.com/1234482 | external |
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "git-bug-0.8.0+git.1733745604.d499b6e-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the git-bug-0.8.0+git.1733745604.d499b6e-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-14592",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_14592-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2024:14592-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/XRFL3E5J4TDRJ22WLK6BNXDRPBVNWDKW/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2024:14592-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/XRFL3E5J4TDRJ22WLK6BNXDRPBVNWDKW/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-45337 page",
"url": "https://www.suse.com/security/cve/CVE-2024-45337/"
}
],
"title": "git-bug-0.8.0+git.1733745604.d499b6e-1.1 on GA media",
"tracking": {
"current_release_date": "2024-12-17T00:00:00Z",
"generator": {
"date": "2024-12-17T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:14592-1",
"initial_release_date": "2024-12-17T00:00:00Z",
"revision_history": [
{
"date": "2024-12-17T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "git-bug-0.8.0+git.1733745604.d499b6e-1.1.aarch64",
"product": {
"name": "git-bug-0.8.0+git.1733745604.d499b6e-1.1.aarch64",
"product_id": "git-bug-0.8.0+git.1733745604.d499b6e-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "git-bug-bash-completion-0.8.0+git.1733745604.d499b6e-1.1.aarch64",
"product": {
"name": "git-bug-bash-completion-0.8.0+git.1733745604.d499b6e-1.1.aarch64",
"product_id": "git-bug-bash-completion-0.8.0+git.1733745604.d499b6e-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "git-bug-fish-completion-0.8.0+git.1733745604.d499b6e-1.1.aarch64",
"product": {
"name": "git-bug-fish-completion-0.8.0+git.1733745604.d499b6e-1.1.aarch64",
"product_id": "git-bug-fish-completion-0.8.0+git.1733745604.d499b6e-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "git-bug-zsh-completion-0.8.0+git.1733745604.d499b6e-1.1.aarch64",
"product": {
"name": "git-bug-zsh-completion-0.8.0+git.1733745604.d499b6e-1.1.aarch64",
"product_id": "git-bug-zsh-completion-0.8.0+git.1733745604.d499b6e-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "git-bug-0.8.0+git.1733745604.d499b6e-1.1.ppc64le",
"product": {
"name": "git-bug-0.8.0+git.1733745604.d499b6e-1.1.ppc64le",
"product_id": "git-bug-0.8.0+git.1733745604.d499b6e-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "git-bug-bash-completion-0.8.0+git.1733745604.d499b6e-1.1.ppc64le",
"product": {
"name": "git-bug-bash-completion-0.8.0+git.1733745604.d499b6e-1.1.ppc64le",
"product_id": "git-bug-bash-completion-0.8.0+git.1733745604.d499b6e-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "git-bug-fish-completion-0.8.0+git.1733745604.d499b6e-1.1.ppc64le",
"product": {
"name": "git-bug-fish-completion-0.8.0+git.1733745604.d499b6e-1.1.ppc64le",
"product_id": "git-bug-fish-completion-0.8.0+git.1733745604.d499b6e-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "git-bug-zsh-completion-0.8.0+git.1733745604.d499b6e-1.1.ppc64le",
"product": {
"name": "git-bug-zsh-completion-0.8.0+git.1733745604.d499b6e-1.1.ppc64le",
"product_id": "git-bug-zsh-completion-0.8.0+git.1733745604.d499b6e-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "git-bug-0.8.0+git.1733745604.d499b6e-1.1.s390x",
"product": {
"name": "git-bug-0.8.0+git.1733745604.d499b6e-1.1.s390x",
"product_id": "git-bug-0.8.0+git.1733745604.d499b6e-1.1.s390x"
}
},
{
"category": "product_version",
"name": "git-bug-bash-completion-0.8.0+git.1733745604.d499b6e-1.1.s390x",
"product": {
"name": "git-bug-bash-completion-0.8.0+git.1733745604.d499b6e-1.1.s390x",
"product_id": "git-bug-bash-completion-0.8.0+git.1733745604.d499b6e-1.1.s390x"
}
},
{
"category": "product_version",
"name": "git-bug-fish-completion-0.8.0+git.1733745604.d499b6e-1.1.s390x",
"product": {
"name": "git-bug-fish-completion-0.8.0+git.1733745604.d499b6e-1.1.s390x",
"product_id": "git-bug-fish-completion-0.8.0+git.1733745604.d499b6e-1.1.s390x"
}
},
{
"category": "product_version",
"name": "git-bug-zsh-completion-0.8.0+git.1733745604.d499b6e-1.1.s390x",
"product": {
"name": "git-bug-zsh-completion-0.8.0+git.1733745604.d499b6e-1.1.s390x",
"product_id": "git-bug-zsh-completion-0.8.0+git.1733745604.d499b6e-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "git-bug-0.8.0+git.1733745604.d499b6e-1.1.x86_64",
"product": {
"name": "git-bug-0.8.0+git.1733745604.d499b6e-1.1.x86_64",
"product_id": "git-bug-0.8.0+git.1733745604.d499b6e-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "git-bug-bash-completion-0.8.0+git.1733745604.d499b6e-1.1.x86_64",
"product": {
"name": "git-bug-bash-completion-0.8.0+git.1733745604.d499b6e-1.1.x86_64",
"product_id": "git-bug-bash-completion-0.8.0+git.1733745604.d499b6e-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "git-bug-fish-completion-0.8.0+git.1733745604.d499b6e-1.1.x86_64",
"product": {
"name": "git-bug-fish-completion-0.8.0+git.1733745604.d499b6e-1.1.x86_64",
"product_id": "git-bug-fish-completion-0.8.0+git.1733745604.d499b6e-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "git-bug-zsh-completion-0.8.0+git.1733745604.d499b6e-1.1.x86_64",
"product": {
"name": "git-bug-zsh-completion-0.8.0+git.1733745604.d499b6e-1.1.x86_64",
"product_id": "git-bug-zsh-completion-0.8.0+git.1733745604.d499b6e-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "git-bug-0.8.0+git.1733745604.d499b6e-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:git-bug-0.8.0+git.1733745604.d499b6e-1.1.aarch64"
},
"product_reference": "git-bug-0.8.0+git.1733745604.d499b6e-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-bug-0.8.0+git.1733745604.d499b6e-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:git-bug-0.8.0+git.1733745604.d499b6e-1.1.ppc64le"
},
"product_reference": "git-bug-0.8.0+git.1733745604.d499b6e-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-bug-0.8.0+git.1733745604.d499b6e-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:git-bug-0.8.0+git.1733745604.d499b6e-1.1.s390x"
},
"product_reference": "git-bug-0.8.0+git.1733745604.d499b6e-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-bug-0.8.0+git.1733745604.d499b6e-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:git-bug-0.8.0+git.1733745604.d499b6e-1.1.x86_64"
},
"product_reference": "git-bug-0.8.0+git.1733745604.d499b6e-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-bug-bash-completion-0.8.0+git.1733745604.d499b6e-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:git-bug-bash-completion-0.8.0+git.1733745604.d499b6e-1.1.aarch64"
},
"product_reference": "git-bug-bash-completion-0.8.0+git.1733745604.d499b6e-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-bug-bash-completion-0.8.0+git.1733745604.d499b6e-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:git-bug-bash-completion-0.8.0+git.1733745604.d499b6e-1.1.ppc64le"
},
"product_reference": "git-bug-bash-completion-0.8.0+git.1733745604.d499b6e-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-bug-bash-completion-0.8.0+git.1733745604.d499b6e-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:git-bug-bash-completion-0.8.0+git.1733745604.d499b6e-1.1.s390x"
},
"product_reference": "git-bug-bash-completion-0.8.0+git.1733745604.d499b6e-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-bug-bash-completion-0.8.0+git.1733745604.d499b6e-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:git-bug-bash-completion-0.8.0+git.1733745604.d499b6e-1.1.x86_64"
},
"product_reference": "git-bug-bash-completion-0.8.0+git.1733745604.d499b6e-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-bug-fish-completion-0.8.0+git.1733745604.d499b6e-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:git-bug-fish-completion-0.8.0+git.1733745604.d499b6e-1.1.aarch64"
},
"product_reference": "git-bug-fish-completion-0.8.0+git.1733745604.d499b6e-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-bug-fish-completion-0.8.0+git.1733745604.d499b6e-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:git-bug-fish-completion-0.8.0+git.1733745604.d499b6e-1.1.ppc64le"
},
"product_reference": "git-bug-fish-completion-0.8.0+git.1733745604.d499b6e-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-bug-fish-completion-0.8.0+git.1733745604.d499b6e-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:git-bug-fish-completion-0.8.0+git.1733745604.d499b6e-1.1.s390x"
},
"product_reference": "git-bug-fish-completion-0.8.0+git.1733745604.d499b6e-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-bug-fish-completion-0.8.0+git.1733745604.d499b6e-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:git-bug-fish-completion-0.8.0+git.1733745604.d499b6e-1.1.x86_64"
},
"product_reference": "git-bug-fish-completion-0.8.0+git.1733745604.d499b6e-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-bug-zsh-completion-0.8.0+git.1733745604.d499b6e-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:git-bug-zsh-completion-0.8.0+git.1733745604.d499b6e-1.1.aarch64"
},
"product_reference": "git-bug-zsh-completion-0.8.0+git.1733745604.d499b6e-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-bug-zsh-completion-0.8.0+git.1733745604.d499b6e-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:git-bug-zsh-completion-0.8.0+git.1733745604.d499b6e-1.1.ppc64le"
},
"product_reference": "git-bug-zsh-completion-0.8.0+git.1733745604.d499b6e-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-bug-zsh-completion-0.8.0+git.1733745604.d499b6e-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:git-bug-zsh-completion-0.8.0+git.1733745604.d499b6e-1.1.s390x"
},
"product_reference": "git-bug-zsh-completion-0.8.0+git.1733745604.d499b6e-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-bug-zsh-completion-0.8.0+git.1733745604.d499b6e-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:git-bug-zsh-completion-0.8.0+git.1733745604.d499b6e-1.1.x86_64"
},
"product_reference": "git-bug-zsh-completion-0.8.0+git.1733745604.d499b6e-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-45337",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-45337"
}
],
"notes": [
{
"category": "general",
"text": "Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that \"A call to this function does not guarantee that the key offered is in fact used to authenticate.\" Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/cry...@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:git-bug-0.8.0+git.1733745604.d499b6e-1.1.aarch64",
"openSUSE Tumbleweed:git-bug-0.8.0+git.1733745604.d499b6e-1.1.ppc64le",
"openSUSE Tumbleweed:git-bug-0.8.0+git.1733745604.d499b6e-1.1.s390x",
"openSUSE Tumbleweed:git-bug-0.8.0+git.1733745604.d499b6e-1.1.x86_64",
"openSUSE Tumbleweed:git-bug-bash-completion-0.8.0+git.1733745604.d499b6e-1.1.aarch64",
"openSUSE Tumbleweed:git-bug-bash-completion-0.8.0+git.1733745604.d499b6e-1.1.ppc64le",
"openSUSE Tumbleweed:git-bug-bash-completion-0.8.0+git.1733745604.d499b6e-1.1.s390x",
"openSUSE Tumbleweed:git-bug-bash-completion-0.8.0+git.1733745604.d499b6e-1.1.x86_64",
"openSUSE Tumbleweed:git-bug-fish-completion-0.8.0+git.1733745604.d499b6e-1.1.aarch64",
"openSUSE Tumbleweed:git-bug-fish-completion-0.8.0+git.1733745604.d499b6e-1.1.ppc64le",
"openSUSE Tumbleweed:git-bug-fish-completion-0.8.0+git.1733745604.d499b6e-1.1.s390x",
"openSUSE Tumbleweed:git-bug-fish-completion-0.8.0+git.1733745604.d499b6e-1.1.x86_64",
"openSUSE Tumbleweed:git-bug-zsh-completion-0.8.0+git.1733745604.d499b6e-1.1.aarch64",
"openSUSE Tumbleweed:git-bug-zsh-completion-0.8.0+git.1733745604.d499b6e-1.1.ppc64le",
"openSUSE Tumbleweed:git-bug-zsh-completion-0.8.0+git.1733745604.d499b6e-1.1.s390x",
"openSUSE Tumbleweed:git-bug-zsh-completion-0.8.0+git.1733745604.d499b6e-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-45337",
"url": "https://www.suse.com/security/cve/CVE-2024-45337"
},
{
"category": "external",
"summary": "SUSE Bug 1234482 for CVE-2024-45337",
"url": "https://bugzilla.suse.com/1234482"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:git-bug-0.8.0+git.1733745604.d499b6e-1.1.aarch64",
"openSUSE Tumbleweed:git-bug-0.8.0+git.1733745604.d499b6e-1.1.ppc64le",
"openSUSE Tumbleweed:git-bug-0.8.0+git.1733745604.d499b6e-1.1.s390x",
"openSUSE Tumbleweed:git-bug-0.8.0+git.1733745604.d499b6e-1.1.x86_64",
"openSUSE Tumbleweed:git-bug-bash-completion-0.8.0+git.1733745604.d499b6e-1.1.aarch64",
"openSUSE Tumbleweed:git-bug-bash-completion-0.8.0+git.1733745604.d499b6e-1.1.ppc64le",
"openSUSE Tumbleweed:git-bug-bash-completion-0.8.0+git.1733745604.d499b6e-1.1.s390x",
"openSUSE Tumbleweed:git-bug-bash-completion-0.8.0+git.1733745604.d499b6e-1.1.x86_64",
"openSUSE Tumbleweed:git-bug-fish-completion-0.8.0+git.1733745604.d499b6e-1.1.aarch64",
"openSUSE Tumbleweed:git-bug-fish-completion-0.8.0+git.1733745604.d499b6e-1.1.ppc64le",
"openSUSE Tumbleweed:git-bug-fish-completion-0.8.0+git.1733745604.d499b6e-1.1.s390x",
"openSUSE Tumbleweed:git-bug-fish-completion-0.8.0+git.1733745604.d499b6e-1.1.x86_64",
"openSUSE Tumbleweed:git-bug-zsh-completion-0.8.0+git.1733745604.d499b6e-1.1.aarch64",
"openSUSE Tumbleweed:git-bug-zsh-completion-0.8.0+git.1733745604.d499b6e-1.1.ppc64le",
"openSUSE Tumbleweed:git-bug-zsh-completion-0.8.0+git.1733745604.d499b6e-1.1.s390x",
"openSUSE Tumbleweed:git-bug-zsh-completion-0.8.0+git.1733745604.d499b6e-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:git-bug-0.8.0+git.1733745604.d499b6e-1.1.aarch64",
"openSUSE Tumbleweed:git-bug-0.8.0+git.1733745604.d499b6e-1.1.ppc64le",
"openSUSE Tumbleweed:git-bug-0.8.0+git.1733745604.d499b6e-1.1.s390x",
"openSUSE Tumbleweed:git-bug-0.8.0+git.1733745604.d499b6e-1.1.x86_64",
"openSUSE Tumbleweed:git-bug-bash-completion-0.8.0+git.1733745604.d499b6e-1.1.aarch64",
"openSUSE Tumbleweed:git-bug-bash-completion-0.8.0+git.1733745604.d499b6e-1.1.ppc64le",
"openSUSE Tumbleweed:git-bug-bash-completion-0.8.0+git.1733745604.d499b6e-1.1.s390x",
"openSUSE Tumbleweed:git-bug-bash-completion-0.8.0+git.1733745604.d499b6e-1.1.x86_64",
"openSUSE Tumbleweed:git-bug-fish-completion-0.8.0+git.1733745604.d499b6e-1.1.aarch64",
"openSUSE Tumbleweed:git-bug-fish-completion-0.8.0+git.1733745604.d499b6e-1.1.ppc64le",
"openSUSE Tumbleweed:git-bug-fish-completion-0.8.0+git.1733745604.d499b6e-1.1.s390x",
"openSUSE Tumbleweed:git-bug-fish-completion-0.8.0+git.1733745604.d499b6e-1.1.x86_64",
"openSUSE Tumbleweed:git-bug-zsh-completion-0.8.0+git.1733745604.d499b6e-1.1.aarch64",
"openSUSE Tumbleweed:git-bug-zsh-completion-0.8.0+git.1733745604.d499b6e-1.1.ppc64le",
"openSUSE Tumbleweed:git-bug-zsh-completion-0.8.0+git.1733745604.d499b6e-1.1.s390x",
"openSUSE Tumbleweed:git-bug-zsh-completion-0.8.0+git.1733745604.d499b6e-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-12-17T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2024-45337"
}
]
}
OPENSUSE-SU-2024:14593-1
Vulnerability from csaf_opensuse - Published: 2024-12-17 00:00 - Updated: 2024-12-17 00:00Summary
helm-3.16.4-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: helm-3.16.4-1.1 on GA media
Description of the patch: These are all security issues fixed in the helm-3.16.4-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-14593
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
8.1 (High)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:helm-3.16.4-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm-3.16.4-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm-3.16.4-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm-3.16.4-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm-bash-completion-3.16.4-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm-bash-completion-3.16.4-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm-bash-completion-3.16.4-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm-bash-completion-3.16.4-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm-fish-completion-3.16.4-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm-fish-completion-3.16.4-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm-fish-completion-3.16.4-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm-fish-completion-3.16.4-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm-zsh-completion-3.16.4-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm-zsh-completion-3.16.4-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm-zsh-completion-3.16.4-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:helm-zsh-completion-3.16.4-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
7 references
| URL | Category |
|---|---|
| https://www.suse.com/support/security/rating/ | external |
| https://ftp.suse.com/pub/projects/security/csaf/o… | self |
| https://lists.opensuse.org/archives/list/security… | self |
| https://lists.opensuse.org/archives/list/security… | self |
| https://www.suse.com/security/cve/CVE-2024-45337/ | self |
| https://www.suse.com/security/cve/CVE-2024-45337 | external |
| https://bugzilla.suse.com/1234482 | external |
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "helm-3.16.4-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the helm-3.16.4-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-14593",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_14593-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2024:14593-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/AAHWJCS7IRD2RDUFE5DZXZ6M6SOGWYEK/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2024:14593-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/AAHWJCS7IRD2RDUFE5DZXZ6M6SOGWYEK/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-45337 page",
"url": "https://www.suse.com/security/cve/CVE-2024-45337/"
}
],
"title": "helm-3.16.4-1.1 on GA media",
"tracking": {
"current_release_date": "2024-12-17T00:00:00Z",
"generator": {
"date": "2024-12-17T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:14593-1",
"initial_release_date": "2024-12-17T00:00:00Z",
"revision_history": [
{
"date": "2024-12-17T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "helm-3.16.4-1.1.aarch64",
"product": {
"name": "helm-3.16.4-1.1.aarch64",
"product_id": "helm-3.16.4-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "helm-bash-completion-3.16.4-1.1.aarch64",
"product": {
"name": "helm-bash-completion-3.16.4-1.1.aarch64",
"product_id": "helm-bash-completion-3.16.4-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "helm-fish-completion-3.16.4-1.1.aarch64",
"product": {
"name": "helm-fish-completion-3.16.4-1.1.aarch64",
"product_id": "helm-fish-completion-3.16.4-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "helm-zsh-completion-3.16.4-1.1.aarch64",
"product": {
"name": "helm-zsh-completion-3.16.4-1.1.aarch64",
"product_id": "helm-zsh-completion-3.16.4-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "helm-3.16.4-1.1.ppc64le",
"product": {
"name": "helm-3.16.4-1.1.ppc64le",
"product_id": "helm-3.16.4-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "helm-bash-completion-3.16.4-1.1.ppc64le",
"product": {
"name": "helm-bash-completion-3.16.4-1.1.ppc64le",
"product_id": "helm-bash-completion-3.16.4-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "helm-fish-completion-3.16.4-1.1.ppc64le",
"product": {
"name": "helm-fish-completion-3.16.4-1.1.ppc64le",
"product_id": "helm-fish-completion-3.16.4-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "helm-zsh-completion-3.16.4-1.1.ppc64le",
"product": {
"name": "helm-zsh-completion-3.16.4-1.1.ppc64le",
"product_id": "helm-zsh-completion-3.16.4-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "helm-3.16.4-1.1.s390x",
"product": {
"name": "helm-3.16.4-1.1.s390x",
"product_id": "helm-3.16.4-1.1.s390x"
}
},
{
"category": "product_version",
"name": "helm-bash-completion-3.16.4-1.1.s390x",
"product": {
"name": "helm-bash-completion-3.16.4-1.1.s390x",
"product_id": "helm-bash-completion-3.16.4-1.1.s390x"
}
},
{
"category": "product_version",
"name": "helm-fish-completion-3.16.4-1.1.s390x",
"product": {
"name": "helm-fish-completion-3.16.4-1.1.s390x",
"product_id": "helm-fish-completion-3.16.4-1.1.s390x"
}
},
{
"category": "product_version",
"name": "helm-zsh-completion-3.16.4-1.1.s390x",
"product": {
"name": "helm-zsh-completion-3.16.4-1.1.s390x",
"product_id": "helm-zsh-completion-3.16.4-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "helm-3.16.4-1.1.x86_64",
"product": {
"name": "helm-3.16.4-1.1.x86_64",
"product_id": "helm-3.16.4-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "helm-bash-completion-3.16.4-1.1.x86_64",
"product": {
"name": "helm-bash-completion-3.16.4-1.1.x86_64",
"product_id": "helm-bash-completion-3.16.4-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "helm-fish-completion-3.16.4-1.1.x86_64",
"product": {
"name": "helm-fish-completion-3.16.4-1.1.x86_64",
"product_id": "helm-fish-completion-3.16.4-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "helm-zsh-completion-3.16.4-1.1.x86_64",
"product": {
"name": "helm-zsh-completion-3.16.4-1.1.x86_64",
"product_id": "helm-zsh-completion-3.16.4-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.16.4-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helm-3.16.4-1.1.aarch64"
},
"product_reference": "helm-3.16.4-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.16.4-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helm-3.16.4-1.1.ppc64le"
},
"product_reference": "helm-3.16.4-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.16.4-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helm-3.16.4-1.1.s390x"
},
"product_reference": "helm-3.16.4-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-3.16.4-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helm-3.16.4-1.1.x86_64"
},
"product_reference": "helm-3.16.4-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-bash-completion-3.16.4-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helm-bash-completion-3.16.4-1.1.aarch64"
},
"product_reference": "helm-bash-completion-3.16.4-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-bash-completion-3.16.4-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helm-bash-completion-3.16.4-1.1.ppc64le"
},
"product_reference": "helm-bash-completion-3.16.4-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-bash-completion-3.16.4-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helm-bash-completion-3.16.4-1.1.s390x"
},
"product_reference": "helm-bash-completion-3.16.4-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-bash-completion-3.16.4-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helm-bash-completion-3.16.4-1.1.x86_64"
},
"product_reference": "helm-bash-completion-3.16.4-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-fish-completion-3.16.4-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helm-fish-completion-3.16.4-1.1.aarch64"
},
"product_reference": "helm-fish-completion-3.16.4-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-fish-completion-3.16.4-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helm-fish-completion-3.16.4-1.1.ppc64le"
},
"product_reference": "helm-fish-completion-3.16.4-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-fish-completion-3.16.4-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helm-fish-completion-3.16.4-1.1.s390x"
},
"product_reference": "helm-fish-completion-3.16.4-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-fish-completion-3.16.4-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helm-fish-completion-3.16.4-1.1.x86_64"
},
"product_reference": "helm-fish-completion-3.16.4-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-zsh-completion-3.16.4-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helm-zsh-completion-3.16.4-1.1.aarch64"
},
"product_reference": "helm-zsh-completion-3.16.4-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-zsh-completion-3.16.4-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helm-zsh-completion-3.16.4-1.1.ppc64le"
},
"product_reference": "helm-zsh-completion-3.16.4-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-zsh-completion-3.16.4-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helm-zsh-completion-3.16.4-1.1.s390x"
},
"product_reference": "helm-zsh-completion-3.16.4-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "helm-zsh-completion-3.16.4-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:helm-zsh-completion-3.16.4-1.1.x86_64"
},
"product_reference": "helm-zsh-completion-3.16.4-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-45337",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-45337"
}
],
"notes": [
{
"category": "general",
"text": "Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that \"A call to this function does not guarantee that the key offered is in fact used to authenticate.\" Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/cry...@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:helm-3.16.4-1.1.aarch64",
"openSUSE Tumbleweed:helm-3.16.4-1.1.ppc64le",
"openSUSE Tumbleweed:helm-3.16.4-1.1.s390x",
"openSUSE Tumbleweed:helm-3.16.4-1.1.x86_64",
"openSUSE Tumbleweed:helm-bash-completion-3.16.4-1.1.aarch64",
"openSUSE Tumbleweed:helm-bash-completion-3.16.4-1.1.ppc64le",
"openSUSE Tumbleweed:helm-bash-completion-3.16.4-1.1.s390x",
"openSUSE Tumbleweed:helm-bash-completion-3.16.4-1.1.x86_64",
"openSUSE Tumbleweed:helm-fish-completion-3.16.4-1.1.aarch64",
"openSUSE Tumbleweed:helm-fish-completion-3.16.4-1.1.ppc64le",
"openSUSE Tumbleweed:helm-fish-completion-3.16.4-1.1.s390x",
"openSUSE Tumbleweed:helm-fish-completion-3.16.4-1.1.x86_64",
"openSUSE Tumbleweed:helm-zsh-completion-3.16.4-1.1.aarch64",
"openSUSE Tumbleweed:helm-zsh-completion-3.16.4-1.1.ppc64le",
"openSUSE Tumbleweed:helm-zsh-completion-3.16.4-1.1.s390x",
"openSUSE Tumbleweed:helm-zsh-completion-3.16.4-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-45337",
"url": "https://www.suse.com/security/cve/CVE-2024-45337"
},
{
"category": "external",
"summary": "SUSE Bug 1234482 for CVE-2024-45337",
"url": "https://bugzilla.suse.com/1234482"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:helm-3.16.4-1.1.aarch64",
"openSUSE Tumbleweed:helm-3.16.4-1.1.ppc64le",
"openSUSE Tumbleweed:helm-3.16.4-1.1.s390x",
"openSUSE Tumbleweed:helm-3.16.4-1.1.x86_64",
"openSUSE Tumbleweed:helm-bash-completion-3.16.4-1.1.aarch64",
"openSUSE Tumbleweed:helm-bash-completion-3.16.4-1.1.ppc64le",
"openSUSE Tumbleweed:helm-bash-completion-3.16.4-1.1.s390x",
"openSUSE Tumbleweed:helm-bash-completion-3.16.4-1.1.x86_64",
"openSUSE Tumbleweed:helm-fish-completion-3.16.4-1.1.aarch64",
"openSUSE Tumbleweed:helm-fish-completion-3.16.4-1.1.ppc64le",
"openSUSE Tumbleweed:helm-fish-completion-3.16.4-1.1.s390x",
"openSUSE Tumbleweed:helm-fish-completion-3.16.4-1.1.x86_64",
"openSUSE Tumbleweed:helm-zsh-completion-3.16.4-1.1.aarch64",
"openSUSE Tumbleweed:helm-zsh-completion-3.16.4-1.1.ppc64le",
"openSUSE Tumbleweed:helm-zsh-completion-3.16.4-1.1.s390x",
"openSUSE Tumbleweed:helm-zsh-completion-3.16.4-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:helm-3.16.4-1.1.aarch64",
"openSUSE Tumbleweed:helm-3.16.4-1.1.ppc64le",
"openSUSE Tumbleweed:helm-3.16.4-1.1.s390x",
"openSUSE Tumbleweed:helm-3.16.4-1.1.x86_64",
"openSUSE Tumbleweed:helm-bash-completion-3.16.4-1.1.aarch64",
"openSUSE Tumbleweed:helm-bash-completion-3.16.4-1.1.ppc64le",
"openSUSE Tumbleweed:helm-bash-completion-3.16.4-1.1.s390x",
"openSUSE Tumbleweed:helm-bash-completion-3.16.4-1.1.x86_64",
"openSUSE Tumbleweed:helm-fish-completion-3.16.4-1.1.aarch64",
"openSUSE Tumbleweed:helm-fish-completion-3.16.4-1.1.ppc64le",
"openSUSE Tumbleweed:helm-fish-completion-3.16.4-1.1.s390x",
"openSUSE Tumbleweed:helm-fish-completion-3.16.4-1.1.x86_64",
"openSUSE Tumbleweed:helm-zsh-completion-3.16.4-1.1.aarch64",
"openSUSE Tumbleweed:helm-zsh-completion-3.16.4-1.1.ppc64le",
"openSUSE Tumbleweed:helm-zsh-completion-3.16.4-1.1.s390x",
"openSUSE Tumbleweed:helm-zsh-completion-3.16.4-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-12-17T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2024-45337"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…