CVE-2024-45338

Issue in golang/x/crypto

FALSE POSITIVE

Rundeck and Runbook Automation are not vulnerable to this CVE.

The issue is related to using google crypto library.

Specifically, the issue is related to a misuse of a callback function ServerConfig.PublicKeyCallback and Rundeck does not use remco as a server as it is used only before rundeck startup to generate configuration files.

The version with the fix for this vulnerability is on 0.32.0 and the last version of remco version uses the crypto library version 0.18.0. (remco repo)