CVE-2024-39223: Missing key verification in gost

July 3, 2024 (updated October 25, 2024)

An authentication bypass in the SSH service of gost v2.11.5 allows attackers to intercept communications via setting the HostKeyCallback function to ssh.InsecureIgnoreHostKey

References

gist.github.com/nyxfqq/a7242170b1118e78436a62dee4e09e8a
github.com/advisories/GHSA-8wxx-35qc-vp6r
github.com/ginuerzh/gost
github.com/ginuerzh/gost/blob/729d0e70005607dc7c69fc1de62fd8fe21f85355/ssh.go
github.com/ginuerzh/gost/issues/1034
nvd.nist.gov/vuln/detail/CVE-2024-39223

Detect and mitigate CVE-2024-39223 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →