Miggo Logo
Miggo Vulnerability Database
CVE-2024-41264

CVE-2024-41264: casdoor's use of`ssh.InsecureIgnoreHostKey()` disables host key verification

3.7

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-41264
GHSA ID
GHSA-67fw-w8f2-88wp
EPSS Score
0.17332%
CWE
CWE-200
Published
8/1/2024
Updated
8/16/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/casdoor/casdoorgo>= 1.541.0, <= 1.636.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

All three functions in viaSSHDialer.go configure SSH clients with HostKeyCallback: ssh.InsecureIgnoreHostKey(), which explicitly disables host key verification. This violates secure SSH practices by allowing potential MITM attacks, directly enabling the CWE-295/297 certificate validation flaws and CWE-200 information exposure described in the advisory. The code references match exactly with the vulnerability reports and GitHub file links provided.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* *is*ov*r** in **s*oor v*.***.* *llows *tt**k*rs to o*t*in s*nsitiv* in*orm*tion vi* t** `ss*.Ins**ur*I*nor**ostK*y()` m*t*o*.

Reasoning

*ll t*r** *un*tions in `vi*SS**i*l*r.*o` *on*i*ur* SS* *li*nts wit* `*ostK*y**ll***k`: `ss*.Ins**ur*I*nor**ostK*y()`, w*i** *xpli*itly *is**l*s *ost k*y v*ri*i**tion. T*is viol*t*s s**ur* SS* pr**ti**s *y *llowin* pot*nti*l MITM *tt**ks, *ir**tly *n*