GHSA-j7c9-79x7-8hpr

Suggest an improvement
Source
https://github.com/advisories/GHSA-j7c9-79x7-8hpr
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-j7c9-79x7-8hpr/GHSA-j7c9-79x7-8hpr.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-j7c9-79x7-8hpr
Aliases
Published
2025-12-03T16:27:59Z
Modified
2025-12-03T17:13:02.994033Z
Severity
  • 5.0 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H CVSS Calculator
Summary
step-ca Has Improper Authorization Check for SSH Certificate Revocation
Details

Summary

A security fix is now available for Step CA that resolves a vulnerability affecting deployments configured with the SSHPOP provisioner. All operators running these provisioners should upgrade to the latest release (v0.29.0) immediately.

The issue was discovered and responsibly disclosed by a research team during a security review. There is no evidence of active exploitation.

To limit exploitation risk during a coordinated disclosure window, we are withholding detailed technical information for now. A full write-up will be published in several weeks.

Embargo List

If your organization runs Step CA in production and would like advance, embargoed notification of future security updates, visit https://u.step.sm/disclosure to request inclusion on our embargo list.

Acknowledgements

This issue was identified and reported by Gabriel Departout and Andy Russon, from AMOSSYS. This audit was sponsored by ANSSI (French Cybersecurity Agency) based on their Open-Source security audit program.

Stay safe, and thank you for helping us keep the ecosystem secure.

Database specific 
{
    "github_reviewed": true,
    "nvd_published_at": null,
    "github_reviewed_at": "2025-12-03T16:27:59Z",
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-285",
        "CWE-863"
    ]
}
References

Affected packages

Go / github.com/smallstep/certificates

Package

Name
github.com/smallstep/certificates
View open source insights on deps.dev
Purl
pkg:golang/github.com/smallstep/certificates

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.29.0

Database specific

last_known_affected_version_range

"<= 0.28.4"