#VU101777 Improper authorization in crypto - CVE-2024-45337
Vulnerability identifier: #VU101777
Vulnerability risk: Medium
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID:
CWE-ID:
CWE-285
Exploitation vector: Network
Exploit availability: Yes
Vulnerable software:
crypto
Universal components / Libraries /
Libraries used by multiple products
Vendor: Go
Description
The vulnerability allows a remote attacker to gain unauthorized access to the application.
The vulnerability exists due to improper authorization caused by improper usage of the ServerConfig.PublicKeyCallback callback. A remote attacker can bypass authorization in certain cases and gain access to the application.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
crypto: 0.0.0-0.20190320223903-b7391e95e576 - 0.30.0
External links
https://www.openwall.com/lists/oss-security/2024/12/11/2
https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909
https://go.dev/cl/635315
https://go.dev/issue/70779
https://groups.google.com/g/golang-announce/c/-nPEi39gI4Q/m/cGVPJCqdAQAJ
https://pkg.go.dev/vuln/GO-2024-3321
https://github.com/advisories/GHSA-v778-237x-gjrc
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
