Cyber Resilience

CVE-2024-45337

Critical

Published: 12 December 2024

Published
12 December 2024
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.3863 97.3th percentile
Risk Priority 41 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-45337 is a critical-severity an unspecified weakness vulnerability in Go (inferred from references). Its CVSS base score is 9.1 (Critical).

Operationally, ranked in the top 2.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Applications and libraries using the Go SSH package from golang.org/x/crypto are affected by an authorization bypass when they rely on the ServerConfig.PublicKeyCallback field to make security decisions. The SSH protocol permits clients to offer multiple public keys for inspection before proving possession of any private key, so the callback may receive several keys without indicating which, if any, will ultimately authenticate the session. This behavior is documented but widely misinterpreted by callers that store keys or derived data and later use them for access control once the connection succeeds.

An unauthenticated remote attacker can exploit the flaw by presenting a sequence of public keys during the handshake, authenticating with only one of them, and causing a vulnerable application to base its authorization decision on a key the attacker does not control. The result is unauthorized access with high confidentiality and integrity impact, reflected in the CVSS 9.1 rating.

Upstream advisories and the referenced commit in golang.org/x/crypto v0.31.0 enforce that the final key supplied to PublicKeyCallback is the one used for public-key authentication and repeat calls when necessary. The guidance further directs developers to record authentication context exclusively in the Extensions field of the Permissions value returned by authentication callbacks and to retrieve it afterward via ServerConn.Permissions rather than external state; third-party libraries that share Permissions objects across attempts require separate review. The EPSS score has remained near 0.4 with only a modest peak, indicating moderate but not sharply increasing exploitation interest.

EU & UK References

Vulnerability details

Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to…

more

authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/cry...@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

CWE(s)
None listed

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Go
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References