CVE-2022-3346: go-resolver vulnerable to attacker-controlled domains due to unvalidated RRSIG RRs

December 28, 2022 (updated January 5, 2023)

DNSSEC validation is not performed correctly. An attacker can cause this package to report successful validation for invalid, attacker-controlled records. The owner name of RRSIG RRs is not validated, permitting an attacker to present the RRSIG for an attacker-controlled domain in a response for any other domain.

References

github.com/advisories/GHSA-87mm-qxm5-cp3f
github.com/peterzen/goresolver/issues/5
nvd.nist.gov/vuln/detail/CVE-2022-3346
pkg.go.dev/vuln/GO-2022-0979

Code Behaviors & Features

Detect and mitigate CVE-2022-3346 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →