Skip to main content

CVE-2024-45337

CVE-2024-45337

Update

Remco has released a patched version which addresses this package finding and is included in our 5.11.0 release. The False Positive still applies to older versions of Rundeck.

Original Issue in golang/x/crypto

FALSE POSITIVE

Rundeck and Runbook Automation are not vulnerable to this CVE.

The issue is related to using google crypto library.

Specifically, the issue is related to a misuse of a callback function ServerConfig.PublicKeyCallback and Rundeck does not use remco as a server as it is used only before rundeck startup to generate configuration files.

The version with the fix for this vulnerability is on 0.32.0 and the last version of remco version uses the crypto library version 0.18.0. (remco repo)