x/vulndb: potential Go vuln in github.com/rancher/fleet: GHSA-xgpc-q899-67p8

[GoVulnBot]

Advisory GHSA-xgpc-q899-67p8 references a vulnerability in the following Go modules:

Module
github.com/rancher/fleet

Description:

Impact

A vulnerability has been identified within Fleet where, by default, Fleet will automatically trust a remote server’s certificate when connecting through SSH if the certificate isn’t set in the known_hosts file. This could allow the execution of a man-in-the-middle (MitM) attack against Fleet. In case the server that is being connected to has a trusted entry in the known_hosts file, then Fleet will correctly check the authenticity of the presented certificate.

Please consult the associated [MITRE ATT&CK - Technique - Adversary-in-the-Middle](https://attack.mitre.org/techniqu...

References:

• ADVISORY: GHSA-xgpc-q899-67p8
• ADVISORY: GHSA-xgpc-q899-67p8
• FIX: [v0.12] - Avoids returning nil map when options.Helm is used rancher/fleet#3571
• FIX: [v0.11] - Avoids returning nil map when options.Helm is used rancher/fleet#3572
• FIX: [v0.10] - Avoids returning nil map when options.Helm is used rancher/fleet#3573
• WEB: https://github.com/rancher/fleet/releases/tag/v0.10.12
• WEB: https://github.com/rancher/fleet/releases/tag/v0.11.7
• WEB: https://github.com/rancher/fleet/releases/tag/v0.12.2

No existing reports found with this module or alias.
See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/rancher/fleet
      versions:
        - introduced: 0.9.0-rc.1
        - fixed: 0.10.12
        - introduced: 0.11.0
        - fixed: 0.11.7
        - introduced: 0.12.0
        - fixed: 0.12.2
      vulnerable_at: 0.12.1
summary: Fleet doesn’t validate a server’s certificate when connecting through SSH in github.com/rancher/fleet
cves:
    - CVE-2025-23390
ghsas:
    - GHSA-xgpc-q899-67p8
references:
    - advisory: https://github.com/advisories/GHSA-xgpc-q899-67p8
    - advisory: https://github.com/rancher/fleet/security/advisories/GHSA-xgpc-q899-67p8
    - fix: https://github.com/rancher/fleet/pull/3571
    - fix: https://github.com/rancher/fleet/pull/3572
    - fix: https://github.com/rancher/fleet/pull/3573
    - web: https://github.com/rancher/fleet/releases/tag/v0.10.12
    - web: https://github.com/rancher/fleet/releases/tag/v0.11.7
    - web: https://github.com/rancher/fleet/releases/tag/v0.12.2
source:
    id: GHSA-xgpc-q899-67p8
    created: 2025-04-25T16:01:29.574123057Z
review_status: UNREVIEWED