commit 8b3b4a35019eddbbde60247ee25986ad1e756b92
author Damien Neil <dneil@google.com> Mon Mar 14 13:39:48 2022 -0700
committer Damien Neil <dneil@google.com> Tue Mar 15 19:38:30 2022 +0000
tree ca3e5c756d1af91fcb2d2973de44a5e3cc5b835b
parent 329db54bf159d54abed75ec55abce8bfae53c926

reports: add GO-2021-0321.yaml for CVE-2022-24968

Fixes golang/vulndb#321

Change-Id: Ifb6f0c8438bcf0464b190e68eb10e29cf84d3d94
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/392757
Trust: Damien Neil <dneil@google.com>
Run-TryBot: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Julie Qiu <julie@golang.org>

reports/GO-2021-0321.yaml

diff --git a/reports/GO-2021-0321.yaml b/reports/GO-2021-0321.yaml
new file mode 100644
index 0000000..3ca9530
--- /dev/null
+++ b/reports/GO-2021-0321.yaml
@@ -0,0 +1,20 @@
+module: mellium.im/xmpp
+package: mellium.im/xmpp/websocket
+versions:
+  - introduced: v0.18.0
+    fixed: v0.21.1
+description: |
+    An attacker capable of spoofing DNS TXT records can redirect a
+    WebSocket connection request to a server under their control without
+    causing TLS certificate verification to fail. This occurs because
+    the wrong host name is selected during this verification.
+cves:
+  - CVE-2022-24968
+credit: Travis Burtrum
+symbols:
+  - Dialer.config
+links:
+    pr: https://github.com/mellium/xmpp/pull/260
+    commit: https://github.com/mellium/xmpp/commit/0d92aa486da69b71f2f4a30e62aa722c711b98ac
+    context:
+      - https://mellium.im/cve/cve-2022-24968/