Π›ΠΎΠ³ΠΎΡ‚ΠΈΠΏ exploitDog
Консоль
Π›ΠΎΠ³ΠΎΡ‚ΠΈΠΏ exploitDog

exploitDog

redhat Π»ΠΎΠ³ΠΎΡ‚ΠΈΠΏ

CVE-2025-22865

ΠžΠΏΡƒΠ±Π»ΠΈΠΊΠΎΠ²Π°Π½ΠΎ: 28 янв. 2025
Π˜ΡΡ‚ΠΎΡ‡Π½ΠΈΠΊ: redhat
CVSS3: 7.5

ОписаниС

Using ParsePKCS1PrivateKey to parse a RSA key that is missing the CRT values would panic when verifying that the key is well formed.

A flaw was found in the crypto/x509 golang library. When using ParsePKCS1PrivateKey to parse an RSA key missing the CRT values, causes a panic when verifying the key is well formed.

ΠžΡ‚Ρ‡Π΅Ρ‚

This vulnerability affects only the Go 1.24 release candidates. Red Hat products do not utilize Go 1.24, except Red Hat Ceph Storage 8 which includes a Grafana container that uses Go 1.24 and is therefore affected by this issue.

Π—Π°Ρ‚Ρ€ΠΎΠ½ΡƒΡ‚Ρ‹Π΅ ΠΏΠ°ΠΊΠ΅Ρ‚Ρ‹

ΠŸΠ»Π°Ρ‚Ρ„ΠΎΡ€ΠΌΠ°ΠŸΠ°ΠΊΠ΅Ρ‚Π‘ΠΎΡΡ‚ΠΎΡΠ½ΠΈΠ΅Π Π΅ΠΊΠΎΠΌΠ΅Π½Π΄Π°Ρ†ΠΈΡΠ Π΅Π»ΠΈΠ·
Assisted Installer for Red Hat OpenShift Container Platform 2rhai-tech-preview/assisted-installer-rhel8Not affected
Cryostat 3cryostat-tech-preview/cryostat-storage-rhel8Not affected
Deployment Validation Operatordeployment-validation-operator-containerNot affected
Fence Agents Remediation Operatorfence-agents-remediation-operator-containerNot affected
Kube Descheduler Operatorkube-descheduler-operator/descheduler-rhel9Not affected
Logging Subsystem for Red Hat OpenShiftopenshift-logging/logging-loki-rhel9Not affected
Logical Volume Manager Storagelvms4/topolvm-rhel9Not affected
Machine Deletion Remediation Operatormachine-deletion-remediation-operator-containerNot affected
Migration Toolkit for Applications 7mta/mta-cli-rhel9Not affected
Migration Toolkit for Containersrhmtc/openshift-migration-registry-rhel8Not affected

ΠŸΠΎΠΊΠ°Π·Ρ‹Π²Π°Ρ‚ΡŒ ΠΏΠΎ

Бсылки Π½Π° источники

Π”ΠΎΠΏΠΎΠ»Π½ΠΈΡ‚Π΅Π»ΡŒΠ½Π°Ρ информация

Бтатус:

Important
Π”Π΅Ρ„Π΅ΠΊΡ‚:
CWE-228
https://bugzilla.redhat.com/show_bug.cgi?id=2342464crypto/x509: ParsePKCS1PrivateKey panic with partial keys in crypto/x509

7.5 High

CVSS3

БвязанныС уязвимости

ubuntu Π»ΠΎΠ³ΠΎΡ‚ΠΈΠΏ

CVE-2025-22865

CVSS3: 7.5
ubuntu
ΠΎΠΊΠΎΠ»ΠΎ 1 Π³ΠΎΠ΄Π° Π½Π°Π·Π°Π΄

Using ParsePKCS1PrivateKey to parse a RSA key that is missing the CRT values would panic when verifying that the key is well formed.

nvd Π»ΠΎΠ³ΠΎΡ‚ΠΈΠΏ

CVE-2025-22865

CVSS3: 7.5
nvd
ΠΎΠΊΠΎΠ»ΠΎ 1 Π³ΠΎΠ΄Π° Π½Π°Π·Π°Π΄

Using ParsePKCS1PrivateKey to parse a RSA key that is missing the CRT values would panic when verifying that the key is well formed.

debian Π»ΠΎΠ³ΠΎΡ‚ΠΈΠΏ

CVE-2025-22865

CVSS3: 7.5
debian
ΠΎΠΊΠΎΠ»ΠΎ 1 Π³ΠΎΠ΄Π° Π½Π°Π·Π°Π΄

Using ParsePKCS1PrivateKey to parse a RSA key that is missing the CRT ...

github Π»ΠΎΠ³ΠΎΡ‚ΠΈΠΏ

GHSA-v7qx-rccr-23xm

CVSS3: 7.5
github
ΠΎΠΊΠΎΠ»ΠΎ 1 Π³ΠΎΠ΄Π° Π½Π°Π·Π°Π΄

Using ParsePKCS1PrivateKey to parse a RSA key that is missing the CRT values would panic when verifying that the key is well formed.

fstec Π»ΠΎΠ³ΠΎΡ‚ΠΈΠΏ

BDU:2025-01439

CVSS3: 7.5
fstec
ΠΎΠΊΠΎΠ»ΠΎ 1 Π³ΠΎΠ΄Π° Π½Π°Π·Π°Π΄

Π£ΡΠ·Π²ΠΈΠΌΠΎΡΡ‚ΡŒ Ρ„ΡƒΠ½ΠΊΡ†ΠΈΠΈ ParsePKCS1PrivateKey Π±ΠΈΠ±Π»ΠΈΠΎΡ‚Π΅ΠΊΠΈ crypto/x509 языка программирования Go, ΠΏΠΎΠ·Π²ΠΎΠ»ΡΡŽΡ‰Π°Ρ Π½Π°Ρ€ΡƒΡˆΠΈΡ‚Π΅Π»ΡŽ ΠΏΠΎΠ»ΡƒΡ‡ΠΈΡ‚ΡŒ нСсанкционированный доступ ΠΊ Π·Π°Ρ‰ΠΈΡ‰Π°Π΅ΠΌΠΎΠΉ ΠΈΠ½Ρ„ΠΎΡ€ΠΌΠ°Ρ†ΠΈΠΈ

7.5 High

CVSS3

Π£ΡΠ·Π²ΠΈΠΌΠΎΡΡ‚ΡŒ CVE-2025-22865