GHSA-crjg-w57m-rqqf: DNSJava vulnerable to KeyTrap - Denial-of-Service Algorithmic Complexity Attacks

July 22, 2024 (updated November 18, 2024)

Users using the ValidatingResolver for DNSSEC validation can run into CPU exhaustion with specially crafted DNSSEC-signed zones.

References

github.com/advisories/GHSA-8459-gg55-8qjj
github.com/advisories/GHSA-crjg-w57m-rqqf
github.com/dnsjava/dnsjava
github.com/dnsjava/dnsjava/commit/07ac36a11578cc1bce0cd8ddf2fe568f062aee78
github.com/dnsjava/dnsjava/commit/3ddc45ce8cdb5c2274e10b7401416f497694e1cf
github.com/dnsjava/dnsjava/security/advisories/GHSA-crjg-w57m-rqqf
nvd.nist.gov/vuln/detail/CVE-2023-50387

Code Behaviors & Features

Detect and mitigate GHSA-crjg-w57m-rqqf with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →