зеркало из https://github.com/golang/vulndb.git
35 строки
1.3 KiB
YAML
35 строки
1.3 KiB
YAML
modules:
|
|
- module: std
|
|
versions:
|
|
- fixed: 1.15.13
|
|
- introduced: 1.16.0
|
|
fixed: 1.16.5
|
|
vulnerable_at: 1.16.4
|
|
packages:
|
|
- package: net
|
|
symbols:
|
|
- Resolver.LookupAddr
|
|
- Resolver.LookupCNAME
|
|
- Resolver.LookupMX
|
|
- Resolver.LookupNS
|
|
- Resolver.LookupSRV
|
|
skip_fix: 'TODO: revisit this reason (fix appears to not work with Go <1.18)'
|
|
description: |
|
|
The LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr
|
|
functions and their respective methods on the Resolver type may
|
|
return arbitrary values retrieved from DNS which do not follow
|
|
the established RFC 1035 rules for domain names. If these names
|
|
are used without further sanitization, for instance unsafely
|
|
included in HTML, they may allow for injection of unexpected
|
|
content. Note that LookupTXT may still return arbitrary values
|
|
that could require sanitization before further use.
|
|
published: 2022-02-17T17:33:35Z
|
|
cves:
|
|
- CVE-2021-33195
|
|
credit: Philipp Jeitner and Haya Shulman from Fraunhofer SIT
|
|
references:
|
|
- fix: https://go.dev/cl/320949
|
|
- fix: https://go.googlesource.com/go/+/c89f1224a544cde464fcb86e78ebb0cc97eedba2
|
|
- web: https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI
|
|
- report: https://go.dev/issue/46241
|