CVE-2022-3347

DNSSEC validation is not performed correctly. An attacker can cause this package to report successful validation for invalid, attacker-controlled records. Root DNSSEC public keys are not validated, permitting an attacker to present a self-signed root key and delegation chain.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/peterzen/goresolver/issues/5#issuecomment-1150214257	Issue Tracking Third Party Advisory
https://pkg.go.dev/vuln/GO-2022-1026	Vendor Advisory
https://github.com/peterzen/goresolver/issues/5#issuecomment-1150214257	Issue Tracking Third Party Advisory
https://pkg.go.dev/vuln/GO-2022-1026	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:go-resolver_project:go-resolver:-:*:*:*:*:go:*:*

History

21 Nov 2024, 07:19

Type	Values Removed	Values Added
References	~~() https://github.com/peterzen/goresolver/issues/5#issuecomment-1150214257 - Issue Tracking, Third Party Advisory~~	() https://github.com/peterzen/goresolver/issues/5#issuecomment-1150214257 - Issue Tracking, Third Party Advisory
References	~~() https://pkg.go.dev/vuln/GO-2022-1026 - Vendor Advisory~~	() https://pkg.go.dev/vuln/GO-2022-1026 - Vendor Advisory

Information

Published : 2022-12-28 03:15

Updated : 2024-11-21 07:19

NVD link : CVE-2022-3347

Mitre link : CVE-2022-3347

CVE.ORG link : CVE-2022-3347

JSON object : View

Products Affected

go-resolver_project

go-resolver

CWE

CWE-345

Insufficient Verification of Data Authenticity

{"id": "CVE-2022-3347", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2022-12-28T03:15:10.193", "references": [{"url": "https://github.com/peterzen/goresolver/issues/5#issuecomment-1150214257", "tags": ["Issue Tracking", "Third Party Advisory"], "source": "security@golang.org"}, {"url": "https://pkg.go.dev/vuln/GO-2022-1026", "tags": ["Vendor Advisory"], "source": "security@golang.org"}, {"url": "https://github.com/peterzen/goresolver/issues/5#issuecomment-1150214257", "tags": ["Issue Tracking", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://pkg.go.dev/vuln/GO-2022-1026", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-345"}]}], "descriptions": [{"lang": "en", "value": "DNSSEC validation is not performed correctly. An attacker can cause this package to report successful validation for invalid, attacker-controlled records. Root DNSSEC public keys are not validated, permitting an attacker to present a self-signed root key and delegation chain."}, {"lang": "es", "value": "La validaci\u00f3n de DNSSEC no se realiza correctamente. Un atacante puede hacer que este paquete informe una validaci\u00f3n exitosa de registros no v\u00e1lidos controlados por el atacante. Las claves p\u00fablicas DNSSEC ra\u00edz no se validan, lo que permite a un atacante presentar una clave root autofirmada y una cadena de delegaci\u00f3n."}], "lastModified": "2024-11-21T07:19:20.620", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:go-resolver_project:go-resolver:-:*:*:*:*:go:*:*", "vulnerable": true, "matchCriteriaId": "13326050-272D-4B2E-9469-839B63614913"}], "operator": "OR"}]}], "sourceIdentifier": "security@golang.org"}