CVE-2024-45337
CVE-2024-45337
Update
Remco has released a patched version which addresses this package finding and is included in our 5.11.0 release. The False Positive still applies to older versions of Rundeck.
Original Issue in golang/x/crypto
FALSE POSITIVE
Rundeck and Runbook Automation are not vulnerable to this CVE.
The issue is related to using google crypto library.
Specifically, the issue is related to a misuse of a callback function ServerConfig.PublicKeyCallback and Rundeck does not use remco
as a server as it is used only before rundeck startup to generate configuration files.
The version with the fix for this vulnerability is on 0.32.0 and the last version of remco
version uses the crypto library version 0.18.0. (remco repo)