The Go SSH library (x/crypto/ssh) version prior to v0.0.0-20170330155735-e4e2799dd7aa by default does not verify host keys, facilitating Man-In-The-Middle attacks. The default behavior was changed to explicitly require the host keys verification mechanism. Now, a missing "HostKeyCallback" will cause the handshake to fail.
CWE-310 - Cryptographic Issues
Cryptographic issues is a category of weaknesses related to the design and implementation of the confidentiality and integrity of data. If not addressed, the weaknesses in this category can lead to data quality degradation.