GHSA-5cgq-3rg8-m6cvCriticalCVSS 9.1
golang.org/x/crypto/ssh/knownhosts vulnerable to auth bypass via unenforced @revoked status
🔗 CVE IDs covered (1)
📋 Description
Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @revoked.
🎯 Affected products1
- go/golang.org/x/crypto/ssh/knownhosts:< 0.52.0