CVE-2022-3346

DNSSEC validation is not performed correctly. An attacker can cause this package to report successful validation for invalid, attacker-controlled records. The owner name of RRSIG RRs is not validated, permitting an attacker to present the RRSIG for an attacker-controlled domain in a response for any other domain.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/peterzen/goresolver/issues/5	Issue Tracking Third Party Advisory
https://pkg.go.dev/vuln/GO-2022-0979	Vendor Advisory
https://github.com/peterzen/goresolver/issues/5	Issue Tracking Third Party Advisory
https://pkg.go.dev/vuln/GO-2022-0979	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:go-resolver_project:go-resolver:-:*:*:*:*:go:*:*

History

21 Nov 2024, 07:19

Type	Values Removed	Values Added
References	~~() https://github.com/peterzen/goresolver/issues/5 - Issue Tracking, Third Party Advisory~~	() https://github.com/peterzen/goresolver/issues/5 - Issue Tracking, Third Party Advisory
References	~~() https://pkg.go.dev/vuln/GO-2022-0979 - Vendor Advisory~~	() https://pkg.go.dev/vuln/GO-2022-0979 - Vendor Advisory
Summary		(es) La validación de DNSSEC no se realiza correctamente. Un atacante puede hacer que este paquete informe una validación exitosa de registros no válidos controlados por el atacante. El nombre del propietario de los RR RRSIG no está validado, lo que permite a un atacante presentar el RRSIG de un dominio controlado por el atacante en una respuesta para cualquier otro dominio.

Information

Published : 2022-12-28 03:15

Updated : 2025-04-14 17:15

NVD link : CVE-2022-3346

Mitre link : CVE-2022-3346

CVE.ORG link : CVE-2022-3346

JSON object : View

Products Affected

go-resolver_project

go-resolver

CWE

CWE-345

Insufficient Verification of Data Authenticity

{"id": "CVE-2022-3346", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2022-12-28T03:15:10.140", "references": [{"url": "https://github.com/peterzen/goresolver/issues/5", "tags": ["Issue Tracking", "Third Party Advisory"], "source": "security@golang.org"}, {"url": "https://pkg.go.dev/vuln/GO-2022-0979", "tags": ["Vendor Advisory"], "source": "security@golang.org"}, {"url": "https://github.com/peterzen/goresolver/issues/5", "tags": ["Issue Tracking", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://pkg.go.dev/vuln/GO-2022-0979", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-345"}]}], "descriptions": [{"lang": "en", "value": "DNSSEC validation is not performed correctly. An attacker can cause this package to report successful validation for invalid, attacker-controlled records. The owner name of RRSIG RRs is not validated, permitting an attacker to present the RRSIG for an attacker-controlled domain in a response for any other domain."}, {"lang": "es", "value": "La validaci\u00f3n de DNSSEC no se realiza correctamente. Un atacante puede hacer que este paquete informe una validaci\u00f3n exitosa de registros no v\u00e1lidos controlados por el atacante. El nombre del propietario de los RR RRSIG no est\u00e1 validado, lo que permite a un atacante presentar el RRSIG de un dominio controlado por el atacante en una respuesta para cualquier otro dominio."}], "lastModified": "2025-04-14T17:15:25.600", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:go-resolver_project:go-resolver:-:*:*:*:*:go:*:*", "vulnerable": true, "matchCriteriaId": "13326050-272D-4B2E-9469-839B63614913"}], "operator": "OR"}]}], "sourceIdentifier": "security@golang.org"}

6.5 /10