| id: GO-2022-0370 |
| modules: |
| - module: mellium.im/xmpp |
| versions: |
| - introduced: 0.18.0 |
| fixed: 0.21.1 |
| vulnerable_at: 0.21.0 |
| packages: |
| - package: mellium.im/xmpp/websocket |
| symbols: |
| - Dialer.config |
| derived_symbols: |
| - Dial |
| - DialDirect |
| - DialSession |
| - Dialer.Dial |
| - Dialer.DialDirect |
| - NewClient |
| summary: |- |
| Man-in-the-middle attack due to improper validation of certificate in |
| mellium.im/xmpp |
| description: |- |
| Websocket client connections are vulnerable to man-in-the-middle attacks via DNS |
| spoofing. |
| |
| When looking up a WSS endpoint using a DNS TXT record, the server TLS |
| certificate is incorrectly validated using the name of the server returned by |
| the TXT record request, not the name of the the server being connected to. This |
| permits any attacker that can spoof a DNS record to redirect the user to a |
| server of their choosing. |
| |
| Providing a *tls.Config with a ServerName field set to the correct destination |
| hostname will avoid this issue. |
| published: 2022-07-29T20:00:14Z |
| cves: |
| - CVE-2022-24968 |
| ghsas: |
| - GHSA-h289-x5wc-xcv8 |
| - GHSA-m658-p24x-p74r |
| references: |
| - advisory: https://mellium.im/cve/cve-2022-24968/ |
| - fix: https://github.com/mellium/xmpp/pull/260 |
| - fix: https://github.com/mellium/xmpp/commit/0d92aa486da69b71f2f4a30e62aa722c711b98ac |
| - report: https://mellium.im/issue/259 |