reports: add GO-2021-0321.yaml for CVE-2022-24968
Fixes golang/vulndb#321
Change-Id: Ifb6f0c8438bcf0464b190e68eb10e29cf84d3d94
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/392757
Trust: Damien Neil <dneil@google.com>
Run-TryBot: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Julie Qiu <julie@golang.org>
diff --git a/reports/GO-2021-0321.yaml b/reports/GO-2021-0321.yaml
new file mode 100644
index 0000000..3ca9530
--- /dev/null
+++ b/reports/GO-2021-0321.yaml
@@ -0,0 +1,20 @@
+module: mellium.im/xmpp
+package: mellium.im/xmpp/websocket
+versions:
+ - introduced: v0.18.0
+ fixed: v0.21.1
+description: |
+ An attacker capable of spoofing DNS TXT records can redirect a
+ WebSocket connection request to a server under their control without
+ causing TLS certificate verification to fail. This occurs because
+ the wrong host name is selected during this verification.
+cves:
+ - CVE-2022-24968
+credit: Travis Burtrum
+symbols:
+ - Dialer.config
+links:
+ pr: https://github.com/mellium/xmpp/pull/260
+ commit: https://github.com/mellium/xmpp/commit/0d92aa486da69b71f2f4a30e62aa722c711b98ac
+ context:
+ - https://mellium.im/cve/cve-2022-24968/