GHSA-87mm-qxm5-cp3f

Опубликовано: 28 дек. 2022

Источник: github

Github: Прошло ревью

CVSS3: 7.7

Описание

go-resolver vulnerable to attacker-controlled domains due to unvalidated RRSIG RRs

go-resolver's DNSSEC validation is not performed correctly. An attacker can cause this package to report successful validation for invalid, attacker-controlled records. The owner name of RRSIG RRs is not validated, permitting an attacker to present the RRSIG for an attacker-controlled domain in a response for any other domain.

Ссылки

Пакеты

Наименование

github.com/peterzen/goresolver

Затронутые версииВерсия исправления

<= 1.0.2

Отсутствует

EPSS

Процентиль: 29%

0.00103

Низкий

7.7 High

CVSS3

CVE ID

CVE-2022-3346

Дефекты

CWE-345

Связанные уязвимости

CVE-2022-3346

CVSS3: 6.5

nvd

около 3 лет назад

DNSSEC validation is not performed correctly. An attacker can cause this package to report successful validation for invalid, attacker-controlled records. The owner name of RRSIG RRs is not validated, permitting an attacker to present the RRSIG for an attacker-controlled domain in a response for any other domain.

EPSS

Процентиль: 29%

0.00103

Низкий

7.7 High

CVSS3

CVE ID

CVE-2022-3346

Дефекты

CWE-345