CVE-2022-3347: go-resolver's DNSSEC validation not performed correctly

December 28, 2022 (updated December 29, 2022)

DNSSEC validation is not performed correctly. An attacker can cause this package to report successful validation for invalid, attacker-controlled records. Root DNSSEC public keys are not validated, permitting an attacker to present a self-signed root key and delegation chain.

References

github.com/advisories/GHSA-jr65-gpj5-cw74
github.com/peterzen/goresolver/issues/5
nvd.nist.gov/vuln/detail/CVE-2022-3347
pkg.go.dev/vuln/GO-2022-1026

Code Behaviors & Features

Detect and mitigate CVE-2022-3347 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →