blob: f46c15219e05049a5a660662b6086217d92c3d49 [file] [log] [blame]
{
"schema_version": "1.3.1",
"id": "GO-2021-0239",
"modified": "0001-01-01T00:00:00Z",
"published": "2022-02-17T17:33:35Z",
"aliases": [
"CVE-2021-33195"
],
"summary": "Improper sanitization when resolving values from DNS in net",
"details": "The LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr functions and their respective methods on the Resolver type may return arbitrary values retrieved from DNS which do not follow the established RFC 1035 rules for domain names. If these names are used without further sanitization, for instance unsafely included in HTML, they may allow for injection of unexpected content. Note that LookupTXT may still return arbitrary values that could require sanitization before further use.",
"affected": [
{
"package": {
"name": "stdlib",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.15.13"
},
{
"introduced": "1.16.0-0"
},
{
"fixed": "1.16.5"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "net",
"symbols": [
"Resolver.LookupAddr",
"Resolver.LookupCNAME",
"Resolver.LookupMX",
"Resolver.LookupNS",
"Resolver.LookupSRV"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://go.dev/cl/320949"
},
{
"type": "FIX",
"url": "https://go.googlesource.com/go/+/c89f1224a544cde464fcb86e78ebb0cc97eedba2"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI"
},
{
"type": "REPORT",
"url": "https://go.dev/issue/46241"
}
],
"credits": [
{
"name": "Philipp Jeitner"
},
{
"name": "Haya Shulman from Fraunhofer SIT"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0239",
"review_status": "REVIEWED"
}
}