Publish Advisories

GHSA-537f-gxgm-3jjq
GHSA-56wx-66px-9j66

Author: advisory-database[bot]

advisories/github-reviewed/2025/05/GHSA-537f-gxgm-3jjq/GHSA-537f-gxgm-3jjq.json

@@ -0,0 +1,61 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-537f-gxgm-3jjq",
+  "modified": "2025-05-13T21:34:03Z",
+  "published": "2025-05-13T21:34:03Z",
+  "aliases": [
+    "CVE-2025-3757"
+  ],
+  "summary": "OpenPubkey Vulnerable to Authentication Bypass",
+  "details": "### Impact\n\nVersions of OpenPubkey library prior to 0.10.0 contained a vulnerability that would allow a specially crafted JWS to bypass signature verification.\n\n### Patches\n\nUpgrade to v0.10.0 or greater. This vulnerability is not present in versions of OpenPubkey after v0.9.0. \n\n### References\n\n[CVE-2025-3757 ](https://www.cve.org/CVERecord?id=CVE-2025-3757)",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/openpubkey/openpubkey"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.10.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/openpubkey/openpubkey/security/advisories/GHSA-537f-gxgm-3jjq"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3757"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/openpubkey/openpubkey"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-305"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-05-13T21:34:03Z",
+    "nvd_published_at": "2025-05-13T17:16:04Z"
+  }
+}

advisories/github-reviewed/2025/05/GHSA-56wx-66px-9j66/GHSA-56wx-66px-9j66.json

@@ -0,0 +1,61 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-56wx-66px-9j66",
+  "modified": "2025-05-13T21:34:58Z",
+  "published": "2025-05-13T21:34:58Z",
+  "aliases": [
+    "CVE-2025-4658"
+  ],
+  "summary": "OPKSSH Vulnerable to Authentication Bypass ",
+  "details": "### Impact\n\nVersions of OpenPubkey library prior to 0.10.0 contained a vulnerability that would allow a specially crafted JWS to bypass signature verification. As OPKSSH depends on the OpenPubkey library for authentication, this vulnerability in OpenPubkey also applies to OPKSSH versions prior to 0.5.0 and would allow an attacker to bypass OPKSSH authentication.\n\n### Patches\n\nThe vulnerability does not exist in more recent versions of OPKSSH. his only impacts OPKSSH  when used to verify ssh keys on a server, the OPKSSH client is unaffected. To remediate upgrade to a version of OPKSSH v0.5.0 or greater.\n\nTo determine if you are vulnerable run on your server:\n\n```bash\nopkssh --version\n```\n\nIf the version is less than 0.5.0 you should upgrade. To upgrade to the latest version run:\n\n```bash\nwget -qO- \"https://raw.githubusercontent.com/openpubkey/opkssh/main/scripts/install-linux.sh\" | sudo bash\n``` \n\n\n### References\n\n[CVE-2025-4658](https://www.cve.org/CVERecord?id=CVE-2025-4658)\n\nThe upstream vulnerability in OpenPubkey is [CVE-2025-3757](https://www.cve.org/CVERecord?id=CVE-2025-3757) and has the security advisory https://github.com/openpubkey/openpubkey/security/advisories/GHSA-537f-gxgm-3jjq",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/openpubkey/opkssh"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.5.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/openpubkey/opkssh/security/advisories/GHSA-56wx-66px-9j66"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4658"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/openpubkey/opkssh"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-305"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-05-13T21:34:58Z",
+    "nvd_published_at": "2025-05-13T17:16:04Z"
+  }
+}