search

golang / vulndb

[mirror] The Go Vulnerability Database
Other
557 stars 56 forks source link

x/vulndb: potential Go vuln in github.com/peterzen/goresolver: GHSA-87mm-qxm5-cp3f #1273

Closed GoVulnBot closed 1 year ago

GoVulnBot commented 1 year ago

In GitHub Security Advisory GHSA-87mm-qxm5-cp3f, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
github.com/peterzen/goresolver <= 1.0.2

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: TODO
    versions:
      - {}
    packages:
      - package: github.com/peterzen/goresolver
description: go-resolver's DNSSEC validation is not performed correctly. An attacker
    can cause this package to report successful validation for invalid, attacker-controlled
    records. The owner name of RRSIG RRs is not validated, permitting an attacker
    to present the RRSIG for an attacker-controlled domain in a response for any other
    domain.
cves:
  - CVE-2022-3346
ghsas:
  - GHSA-87mm-qxm5-cp3f
tatianab commented 1 year ago

Duplicate of https://github.com/golang/vulndb/issues/979

gopherbot commented 1 year ago

Change https://go.dev/cl/461475 mentions this issue: data/reports: add alias for GO-2022-0979.yaml