x/vulndb: potential Go vuln in github.com/ginuerzh/gost: GHSA-8wxx-35qc-vp6r

[GoVulnBot]

Advisory GHSA-8wxx-35qc-vp6r references a vulnerability in the following Go modules:

Module
github.com/ginuerzh/gost

Description:
An authentication bypass in the SSH service of gost v2.11.5 allows attackers to intercept communications via setting the HostKeyCallback function to ssh.InsecureIgnoreHostKey

References:

• ADVISORY: GHSA-8wxx-35qc-vp6r
• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-39223
• REPORT: Security Vulnerability in SSH ForwardTransporter Handshake Process ginuerzh/gost#1034
• WEB: https://gist.github.com/nyxfqq/a7242170b1118e78436a62dee4e09e8a
• WEB: https://github.com/ginuerzh/gost/blob/729d0e70005607dc7c69fc1de62fd8fe21f85355/ssh.go#L229

Cross references:

• github.com/ginuerzh/gost appears in 1 other report(s):
  • data/excluded/GO-2023-1784.yaml (x/vulndb: potential Go vuln in github.com/ginuerzh/gost: GHSA-qjrq-hm79-49ww #1784) EFFECTIVELY_PRIVATE

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/ginuerzh/gost
      vulnerable_at: 0.0.0-20241011080244-87d6a2fdc2cc
summary: Missing key verification in gost in github.com/ginuerzh/gost
cves:
    - CVE-2024-39223
ghsas:
    - GHSA-8wxx-35qc-vp6r
references:
    - advisory: https://github.com/advisories/GHSA-8wxx-35qc-vp6r
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-39223
    - report: https://github.com/ginuerzh/gost/issues/1034
    - web: https://gist.github.com/nyxfqq/a7242170b1118e78436a62dee4e09e8a
    - web: https://github.com/ginuerzh/gost/blob/729d0e70005607dc7c69fc1de62fd8fe21f85355/ssh.go#L229
source:
    id: GHSA-8wxx-35qc-vp6r
    created: 2024-10-25T23:01:15.558921506Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/622835 mentions this issue: data/reports: add 16 unreviewed reports