зеркало из https://github.com/golang/vulndb.git
44 строки
1.4 KiB
YAML
44 строки
1.4 KiB
YAML
id: GO-2022-0370
|
|
modules:
|
|
- module: mellium.im/xmpp
|
|
versions:
|
|
- introduced: 0.18.0
|
|
fixed: 0.21.1
|
|
vulnerable_at: 0.21.0
|
|
packages:
|
|
- package: mellium.im/xmpp/websocket
|
|
symbols:
|
|
- Dialer.config
|
|
derived_symbols:
|
|
- Dial
|
|
- DialDirect
|
|
- DialSession
|
|
- Dialer.Dial
|
|
- Dialer.DialDirect
|
|
- NewClient
|
|
summary: 'TODO(https://go.dev/issue/56443): fill in summary field'
|
|
description: |
|
|
Websocket client connections are vulnerable to man-in-the-middle
|
|
attacks via DNS spoofing.
|
|
|
|
When looking up a WSS endpoint using a DNS TXT record, the server
|
|
TLS certificate is incorrectly validated using the name of the
|
|
server returned by the TXT record request, not the name of the
|
|
the server being connected to. This permits any attacker that
|
|
can spoof a DNS record to redirect the user to a server of their
|
|
choosing.
|
|
|
|
Providing a *tls.Config with a ServerName field set to the
|
|
correct destination hostname will avoid this issue.
|
|
published: 2022-07-29T20:00:14Z
|
|
cves:
|
|
- CVE-2022-24968
|
|
ghsas:
|
|
- GHSA-h289-x5wc-xcv8
|
|
- GHSA-m658-p24x-p74r
|
|
references:
|
|
- advisory: https://mellium.im/cve/cve-2022-24968/
|
|
- fix: https://github.com/mellium/xmpp/pull/260
|
|
- fix: https://github.com/mellium/xmpp/commit/0d92aa486da69b71f2f4a30e62aa722c711b98ac
|
|
- report: https://mellium.im/issue/259
|