Lucene search
K

63 matches found

Github Security Blog
Github Security Blog
added last week12 views

golang.org/x/crypto/ssh: Invoking VerifiedPublicKeyCallback permissions skip enforcement

Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped...

10CVSS5.8AI score0.03092EPSS
Exploits2References18Affected Software1
EUVD
EUVD
added last week9 views

EUVD-2026-31395

golang.org/x/crypto/ssh: FIDO/U2F security key physical presence check can be bypassed...

9.1CVSS5.8AI score0.00373EPSS
Exploits0References6
OSV
OSV
added last week4 views

GHSA-89GR-R52H-F8RX golang.org/x/crypto/ssh: FIDO/U2F security key physical presence check can be bypassed

The Verify method for FIDO/U2F security key types [email protected], [email protected] did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior,...

9.1CVSS5.8AI score0.00373EPSS
Exploits0References6
Github Security Blog
Github Security Blog
added last week8 views

golang.org/x/crypto/ssh is vulnerable to invoking server panic during CheckHostKey/Authenticate flow

SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil...

7.5CVSS5.8AI score0.00273EPSS
Exploits0References11Affected Software1
RedhatCVE
RedhatCVE
added 2026/06/05 7:44 p.m.8 views

CVE-2026-39831

The Verify method for FIDO/U2F security key types [email protected], [email protected] did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior,...

9.1CVSS5.4AI score0.00373EPSS
Exploits0References1
Tenable Nessus
Tenable Nessus
added 2026/05/25 12:0 a.m.10 views

Linux Distros Unpatched Vulnerability : CVE-2026-39831

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The Verify method for FIDO/U2F security key types [email protected], sk-ssh- [email protected] did not check the User Presence flag. Signatur...

9.1CVSS5.9AI score0.00373EPSS
Exploits0References3
SUSE CVE
SUSE CVE
added 2026/05/23 1:29 a.m.14 views

SUSE CVE-2026-39831

The Verify method for FIDO/U2F security key types [email protected], [email protected] did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior,...

8.1CVSS5.8AI score0.00373EPSS
Exploits0References18
Snyk
Snyk
added 2026/05/22 5:32 a.m.8 views

Uncaught Exception

Overview golang.org/x/crypto/ssh is a SSH client and server Affected versions of this package are vulnerable to Uncaught Exception in the CertChecker component when used as a public key callback without setting IsUserAuthority or IsHostAuthority. An attacker can cause the server to panic by...

8.7CVSS5.8AI score0.00273EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/22 5:32 a.m.8 views

Uncaught Exception

Overview github.com/golang/crypto/ssh is a SSH client and server Affected versions of this package are vulnerable to Uncaught Exception in the CertChecker component when used as a public key callback without setting IsUserAuthority or IsHostAuthority. An attacker can cause the server to panic by...

8.7CVSS5.8AI score0.00273EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/22 5:29 a.m.8 views

Incorrect Authorization

Overview golang.org/x/crypto/ssh is a SSH client and server Affected versions of this package are vulnerable to Incorrect Authorization due to improper enforcement of permissions in the VerifiedPublicKeyCallback process. An attacker can bypass source-address validation by passing a callback type...

10CVSS5.8AI score0.0044EPSS
Exploits0References2
NVD
NVD
added 2026/05/22 4:16 a.m.18 views

CVE-2026-46595

Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped...

10CVSS0.0044EPSS
Exploits0References15
NVD
NVD
added 2026/05/22 4:16 a.m.21 views

CVE-2026-39831

The Verify method for FIDO/U2F security key types [email protected], [email protected] did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior,...

9.1CVSS0.00373EPSS
Exploits0References4
OSV
OSV
added 2026/05/22 4:16 a.m.5 views

UBUNTU-CVE-2026-39835

SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil...

7.5CVSS5.8AI score0.00273EPSS
Exploits0References6
Vulnrichment
Vulnrichment
added 2026/05/22 2:31 a.m.7 views

CVE-2026-39831 Invoking bypass of FIDO/U2F security keys physical interaction in golang.org/x/crypto/ssh

The Verify method for FIDO/U2F security key types [email protected], [email protected] did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior,...

5.8AI score0.00373EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/05/22 2:31 a.m.6 views

CVE-2026-39831

The Verify method for FIDO/U2F security key types [email protected], [email protected] did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior,...

5.8AI score0.00373EPSS
Exploits0References5
CVE
CVE
added 2026/05/22 2:31 a.m.96 views

CVE-2026-39831

CVE-2026-39831 involves the Verify() method for FIDO/U2F security key types ([email protected], [email protected]) where the User Presence flag was not checked. This allowed signatures generated without physical user interaction to be accepted, enabling unattended use of...

9.1CVSS5.8AI score0.00373EPSS
Exploits0References4Affected Software1
CVE
CVE
added 2026/05/22 2:31 a.m.163 views

CVE-2026-46595

CVE-2026-46595 affects golang.org/x/crypto/ssh. The issue arises when VerifiedPublicKeyCallback is invoked with a callback type other than public key, causing the source-address validation to be bypassed and enabling an authorization bypass. The description notes this is a continuation of CVE-202...

10CVSS5.8AI score0.0044EPSS
Exploits0References15Affected Software1
Cvelist
Cvelist
added 2026/05/22 2:31 a.m.58 views

CVE-2026-46595 Invoking VerifiedPublicKeyCallback permissions skip enforcement in golang.org/x/crypto/ssh

Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped...

0.0044EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/05/22 2:31 a.m.7 views

CVE-2026-46595

Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped...

9.1CVSS6.8AI score0.03092EPSS
Exploits2References5
ATTACKERKB
ATTACKERKB
added 2026/05/22 2:31 a.m.8 views

CVE-2026-39835

SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil...

5.8AI score0.00273EPSS
Exploits0References5
Rows per page
Query Builder