Lucene search

GitHub Advisory DatabaseGHSA-JR65-GPJ5-CW74

HistoryDec 28, 2022 - 3:30 a.m.

go-resolver's DNSSEC validation not performed correctly

2022-12-2803:30:28

CWE-345

CWE-347

GitHub Advisory Database

github.com

go-resolver

dnssec

validation

vulnerability

attacker

records

software

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

34.6%

JSON

go-resolver’s DNSSEC validation is not performed correctly. An attacker can cause this package to report successful validation for invalid, attacker-controlled records. Root DNSSEC public keys are not validated, permitting an attacker to present a self-signed root key and delegation chain.

Affected configurations

Vulners

Node

peterzengoresolverRange≤1.0.2

VendorProductVersionCPE
peterzengoresolver*cpe:2.3:a:peterzen:goresolver:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
peterzen	goresolver	*	cpe:2.3:a:peterzen:goresolver::::::::

References

github.com/advisories/GHSA-jr65-gpj5-cw74

github.com/peterzen/goresolver/issues/5#issuecomment-1150214257

nvd.nist.gov/vuln/detail/CVE-2022-3347

pkg.go.dev/vuln/GO-2022-1026

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

34.6%

JSON

Related for GHSA-JR65-GPJ5-CW74