Incorrect DNSSEC validation due to unchecked owner names in github.com/peterzen/goresolver
CVE-2022-3346

6.5MEDIUM

Key Information:

Vendor: Github.com/peterzen/goresolver
Status: Github.com/peterzen/goresolver
Vendor: CVE Published:; 28 December 2022

🔔 Create Github.com/peterzen/goresolver Vulnerability Alert

What is CVE-2022-3346?

DNSSEC validation is not performed correctly. An attacker can cause this package to report successful validation for invalid, attacker-controlled records. The owner name of RRSIG RRs is not validated, permitting an attacker to present the RRSIG for an attacker-controlled domain in a response for any other domain.

References

https://github.com/peterzen/goresolver/issues/5

https://pkg.go.dev/vuln/GO-2022-0979

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 28, 2022
Vulnerability Reserved
Sep 27, 2022