CVE-2024-39223 – github.com/ginuerzh/gost

Package

Manager: go
Name: github.com/ginuerzh/gost
Vulnerable Version: >=0 <=2.11.5

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00069 pctl0.21593

Details

Missing key verification in gost An authentication bypass in the SSH service of gost v2.11.5 allows attackers to intercept communications via setting the HostKeyCallback function to ssh.InsecureIgnoreHostKey

Metadata

Created: 2024-07-03T18:48:20Z
Modified: 2024-10-25T22:07:23Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-8wxx-35qc-vp6r/GHSA-8wxx-35qc-vp6r.json
CWE IDs: ["CWE-289", "CWE-639"]
Alternative ID: GHSA-8wxx-35qc-vp6r
Finding: F039
Auto approve: 1