GHSA-78mq-xcr3-xm33MediumCVSS 5.3
golang.org/x/crypto/ssh is vulnerable to invoking server panic during CheckHostKey/Authenticate flow
🔗 CVE IDs covered (1)
📋 Description
SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil.
🎯 Affected products1
- go/golang.org/x/crypto/ssh:< 0.52.0