The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.
This project does not use the ssh submodule, so this is lower priority, but our crypto/ssh package version is very very out of date/old.
asararatnakar
commented
10 months ago
https://nvd.nist.gov/vuln/detail/CVE-2022-27191 says:
This project does not use the
sshsubmodule, so this is lower priority, but ourcrypto/sshpackage version is very very out of date/old.Reference: https://github.com/hyperledger-labs/fabric-operator/blob/main/go.mod#L121