The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface.
Additional information regarding this vulnerability can be found here: https://nvd.nist.gov/vuln/detail/CVE-2022-37454
Rally does not have SHA3 enabled on SSH and therefore is not affected by this vulnerability