CVE-2022-3346

DNSSEC validation is not performed correctly. An attacker can cause this package to report successful validation for invalid, attacker-controlled records. The owner name of RRSIG RRs is not validated, permitting an attacker to present the RRSIG for an attacker-controlled domain in a response for any other domain.
References
Link Resource
https://github.com/peterzen/goresolver/issues/5 Issue Tracking Third Party Advisory
https://pkg.go.dev/vuln/GO-2022-0979 Vendor Advisory
https://github.com/peterzen/goresolver/issues/5 Issue Tracking Third Party Advisory
https://pkg.go.dev/vuln/GO-2022-0979 Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:go-resolver_project:go-resolver:-:*:*:*:*:go:*:*

History

21 Nov 2024, 07:19

Type Values Removed Values Added
References () https://github.com/peterzen/goresolver/issues/5 - Issue Tracking, Third Party Advisory () https://github.com/peterzen/goresolver/issues/5 - Issue Tracking, Third Party Advisory
References () https://pkg.go.dev/vuln/GO-2022-0979 - Vendor Advisory () https://pkg.go.dev/vuln/GO-2022-0979 - Vendor Advisory
Summary
  • (es) La validación de DNSSEC no se realiza correctamente. Un atacante puede hacer que este paquete informe una validación exitosa de registros no válidos controlados por el atacante. El nombre del propietario de los RR RRSIG no está validado, lo que permite a un atacante presentar el RRSIG de un dominio controlado por el atacante en una respuesta para cualquier otro dominio.

Information

Published : 2022-12-28 03:15

Updated : 2025-04-14 17:15


NVD link : CVE-2022-3346

Mitre link : CVE-2022-3346

CVE.ORG link : CVE-2022-3346


JSON object : View

Products Affected

go-resolver_project

  • go-resolver
CWE
CWE-345

Insufficient Verification of Data Authenticity