Home/CVE/Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback
CVE

CVE-2024-45337

Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback

Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts.

users of third-party libraries should refer to the relevant projects for guidance.

CRITICAL · CVSS 9.1 EPSS 0.3863
Act now
  • EPSS ≥ 0.10 - elevated exploitation probability
  • EPSS percentile: top 3% of all CVEs by exploitation likelihood
  • Public exploit or PoC is available
  • SSVC automatable: yes - attacks can be scripted at scale
  • CVSS base score ≥ 7.0
Sigma rules0 YARA rules0
Look this up elsewhere - one-click external pivots
NVDCVE.orgCISAVulnersExploit-DBGitHub PoCVulnCheck KEVGreyNoise
How to read a CVE - triage first, then detect and patch
This page is every public fact about CVE-2024-45337, cross-linked. Its job is to answer one question fast - does this need my attention now? - and then hand you the two things you do about it. Here is how an analyst reads it.
Triage: should I act now? Four signals, and they are not interchangeable:
CVSSseverity - how bad it is IF exploited, 0-10. A high CVSS alone is not urgency; a flaw can be a perfect 10 and never actually be attacked. EPSSprobability - a model’s estimate of the chance it is exploited in the next 30 days, 0-1. This is the “will it actually happen” signal. CISA KEVconfirmed - it is being exploited in the wild right now. The strongest signal on the page; KEV beats any score. Weaponisedavailability - public exploits / PoCs, and especially Metasploit modules rated Excellent / Great. Reliable, packaged exploit code means low-skill attackers can use it today.
How they combine: KEV, or a dependable Metasploit module, means patch now regardless of CVSS. High CVSS + low EPSS + no exploit is real but not an emergency - schedule it. Low CVSS but KEV-listed still gets patched now. The verdict above already weighed these for you; this is how it got there.
Then what - two workflows:
Detectwhen you cannot patch today, follow this CVE to the ATT&CK techniques it enables, then Build a SIEM detection (the green button) - author a rule, test it in Atomic, deploy it. That buys visibility while the patch waits. PatchAffected products / packages tell you if you are exposed; Fixed versions by distribution and Vendor advisories give the exact version that closes it.
Reading order for the panels below: verdict + badges, then Public exploits / Metasploit (is it weaponised), then ATT&CK techniques + Sigma / IDS rules (can I detect it), then Affected products / packages + Fixed versions (am I exposed, what patches it), then Threat actors / IOCs (who uses it), then Scoring & timeline / references (the evidence).

ATT&CK techniques

1

Techniques this CVE enables - linked via CWECAPECATT&CK. High◆ = named directly in ATT&CK or Nuclei templates.

T1190 · Exploit Public-Facing Application
▤ Build a SIEM detection for these techniques

Affected Packages

1
Language-ecosystem packages (from OSV) tied to this CVE, with the version that fixes it - the dependency-level detail NVD doesn’t carry.
Go golang.org/x/crypto CRITICAL fixed in 0.31.0

Public Exploits & PoCs

15
These PoC and exploit links come from public sources and are not verified to be safe or functional. Review the code before running anything, and treat unverified entries as untrusted.
pocNHAS/CVE-2024-45337-POC (nomi-sec)
pocNHAS/VULNERABLE-CVE-2024-45337 (nomi-sec)
pocpeace-maker/CVE-2024-45337 (nomi-sec)
pocBackline-playground/gogs (nomi-sec)
poc11notes/docker-ente (trickest)
poc11notes/docker-github-runner (trickest)
poc8-cm/kube-dump (trickest)
pocARPSyndicate/cve-scores (trickest)
pocNHAS/cvessh (trickest)
pocTAMULib/metadb-docker (trickest)
pocecomtech-oss/pisc (trickest)
pocghadeer-elsalhawy/antrea-Renovate-lfx (trickest)
pocghostbyt3/patch-tuesday (trickest)
pockaisensan/desafio-girus-pick (trickest)
pocnomi-sec/PoC-in-GitHub (trickest)
📦

Fixed versions by distribution

74
The package version that resolves this CVE on each Linux distribution, from the vendor’s published security data. fixed in shows a patched version exists; open means the package is listed as affected with no fix yet.
alpine edgerclone fixed in 1.69.0-r0
suse sle15amazon-ssm-agent open
suse sle15apptainer fixed in 0:1.3.6-150600.4.9.1
suse sle15apptainer-sle15_6 fixed in 0:1.3.6-150600.4.9.1
suse sle15apptainer-sle15_7 fixed in 0:1.3.6-150600.4.9.1
suse sle15buildah open
suse sle15cosign open
suse sle15docker open
suse sle15docker-bash-completion open
suse sle15docker-buildx open
suse sle15docker-fish-completion open
suse sle15docker-rootless-extras open
suse sle15docker-zsh-completion open
suse sle15golang-github-prometheus-promu fixed in 0:0.17.0-150000.3.24.1
suse sle15google-guest-agent fixed in 0:20250327.01-150000.1.60.1
suse sle15grafana fixed in 0:10.4.13-150200.3.59.1
suse sle15helm fixed in 0:3.17.1-150000.1.41.1
suse sle15helm-bash-completion fixed in 0:3.17.1-150000.1.41.1
suse sle15helm-fish-completion fixed in 0:3.17.1-150000.1.41.1
suse sle15helm-zsh-completion fixed in 0:3.17.1-150000.1.41.1
suse sle15kubernetes-client open
suse sle15kubernetes-common open
suse sle15kubernetes1.18-client open
suse sle15kubernetes1.18-client-common open
suse sle15kubernetes1.23-client open
suse sle15kubernetes1.23-client-common open
suse sle15kubernetes1.24-client open
suse sle15kubernetes1.24-client-common open
suse sle15kubernetes1.25-client open
suse sle15kubernetes1.25-client-common open
suse sle15kubernetes1.26-client open
suse sle15kubernetes1.26-client-common open
suse sle15kubernetes1.27-client open
suse sle15kubernetes1.27-client-common open
suse sle15kubernetes1.28-client open
suse sle15kubernetes1.28-client-common open
suse sle15kubevirt-manifests fixed in 0:1.4.1-150600.5.24.1
suse sle15kubevirt-virtctl fixed in 0:1.5.2-150700.3.5.2
suse sle15podman open
suse sle15podman-cni-config open
suse sle15podman-docker open
suse sle15podman-remote open
suse sle15podmansh open
suse sle15rekor open
suse sle15rime-schema-all fixed in 0:20230603+git.5fdd2d6-150600.3.8.1
suse sle15rime-schema-array fixed in 0:20230603+git.5fdd2d6-150600.3.8.1
suse sle15rime-schema-bopomofo fixed in 0:20230603+git.5fdd2d6-150600.3.8.1
suse sle15rime-schema-cangjie fixed in 0:20230603+git.5fdd2d6-150600.3.8.1
suse sle15rime-schema-cantonese fixed in 0:20230603+git.5fdd2d6-150600.3.8.1
suse sle15rime-schema-combo-pinyin fixed in 0:20230603+git.5fdd2d6-150600.3.8.1
suse sle15rime-schema-custom fixed in 0:20230603+git.5fdd2d6-150600.3.8.1
suse sle15rime-schema-default fixed in 0:20230603+git.5fdd2d6-150600.3.8.1
suse sle15rime-schema-double-pinyin fixed in 0:20230603+git.5fdd2d6-150600.3.8.1
suse sle15rime-schema-emoji fixed in 0:20230603+git.5fdd2d6-150600.3.8.1
suse sle15rime-schema-essay fixed in 0:20230603+git.5fdd2d6-150600.3.8.1
suse sle15rime-schema-essay-simp fixed in 0:20230603+git.5fdd2d6-150600.3.8.1
suse sle15rime-schema-extra fixed in 0:20230603+git.5fdd2d6-150600.3.8.1
suse sle15rime-schema-ipa fixed in 0:20230603+git.5fdd2d6-150600.3.8.1
suse sle15rime-schema-luna-pinyin fixed in 0:20230603+git.5fdd2d6-150600.3.8.1
suse sle15rime-schema-middle-chinese fixed in 0:20230603+git.5fdd2d6-150600.3.8.1
suse sle15rime-schema-pinyin-simp fixed in 0:20230603+git.5fdd2d6-150600.3.8.1
suse sle15rime-schema-prelude fixed in 0:20230603+git.5fdd2d6-150600.3.8.1
suse sle15rime-schema-quick fixed in 0:20230603+git.5fdd2d6-150600.3.8.1
suse sle15rime-schema-scj fixed in 0:20230603+git.5fdd2d6-150600.3.8.1
suse sle15rime-schema-soutzoe fixed in 0:20230603+git.5fdd2d6-150600.3.8.1
suse sle15rime-schema-stenotype fixed in 0:20230603+git.5fdd2d6-150600.3.8.1
suse sle15rime-schema-stroke fixed in 0:20230603+git.5fdd2d6-150600.3.8.1
suse sle15rime-schema-terra-pinyin fixed in 0:20230603+git.5fdd2d6-150600.3.8.1
suse sle15rime-schema-wubi fixed in 0:20230603+git.5fdd2d6-150600.3.8.1
suse sle15rime-schema-wugniu fixed in 0:20230603+git.5fdd2d6-150600.3.8.1
suse sle15skopeo open
suse sle15skopeo-bash-completion open
suse sle15skopeo-zsh-completion open
suse sle15supportutils-plugin-salt fixed in 0:1.2.3-150000.3.16.1

Scoring & Timeline

9.1
CRITICAL · CVSS v3.1 · [email protected]
View on NVD
Attack Vector
Network Adjacent Local Physical
Attack Complexity
Low High
Privileges Required
None Low High
User Interaction
None Required
Scope
Unchanged Changed
Confidentiality
None Low High
Integrity
None Low High
Availability
None Low High
Published to NVD12 Dec 2024 · 02:02 AM
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
SSVC triage · cisa-vulnrichment
Exploitation
none
Automatable
yes
Technical impact
total
SSVC asks the questions that actually drive patch urgency: is it being exploited, can attacks be automated, and how total is the impact.

Vendor Advisories

30
suse-csafSUSE-SU-2026:22065-1
suse-csafSUSE-SU-2026:22074-1
suse-csafopenSUSE-SU-2026:10949-1
suse-csafopenSUSE-SU-2026:20902-1
suse-csafopenSUSE-SU-2026:20893-1
🔗

References & Sources

7
Source URLs (vendor pages, mailing lists, write-ups). Exploit/PoC links are in their own section above to avoid duplication.
https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909
https://go.dev/cl/635315
https://go.dev/issue/70779
https://groups.google.com/g/golang-announce/c/-nPEi39gI4Q/m/cGVPJCqdAQAJ
https://pkg.go.dev/vuln/GO-2024-3321
http://www.openwall.com/lists/oss-security/2024/12/11/2
SOC and Response
CVE triage
Stack monitoring
Am I affected
IOC triage
KEV catalog
Daily brief
Change tracking
Detection Engineering
Coverage workspace
Detection coverage
Coverage check
Telemetry ceiling
SIEM query builder
Sigma rules
SIEM rules
YARA rules
Network rules
D3FEND
Threat Hunting
Threat actors
ATT&CK techniques
Attack paths
Indicators
Atomic tests
Red Team and Pentest
Exploitability triage
Recon pack
Attack paths
CAPEC patterns
Adversary emulation
Compliance and GRC
Framework mapping
Control assessment
Audit view
Coverage report
Atlas Search Threat actors Techniques Tools & malware CWE CAPEC KEV catalog Package vulns TAXII feed Data sources
About All capabilities Pricing API docs Live statistics Live status Privacy policy Terms of service
threatengine.sh