| { |
| "id": "GO-2021-0239", |
| "published": "2022-02-17T17:33:35Z", |
| "modified": "0001-01-01T00:00:00Z", |
| "aliases": [ |
| "CVE-2021-33195" |
| ], |
| "details": "The LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr\nfunctions and their respective methods on the Resolver type may\nreturn arbitrary values retrieved from DNS which do not follow\nthe established RFC 1035 rules for domain names. If these names\nare used without further sanitization, for instance unsafely\nincluded in HTML, they may allow for injection of unexpected\ncontent. Note that LookupTXT may still return arbitrary values\nthat could require sanitization before further use.\n", |
| "affected": [ |
| { |
| "package": { |
| "name": "stdlib", |
| "ecosystem": "Go" |
| }, |
| "ranges": [ |
| { |
| "type": "SEMVER", |
| "events": [ |
| { |
| "introduced": "0" |
| }, |
| { |
| "fixed": "1.15.13" |
| }, |
| { |
| "introduced": "1.16.0" |
| }, |
| { |
| "fixed": "1.16.5" |
| } |
| ] |
| } |
| ], |
| "database_specific": { |
| "url": "https://pkg.go.dev/vuln/GO-2021-0239" |
| }, |
| "ecosystem_specific": { |
| "imports": [ |
| { |
| "path": "net", |
| "symbols": [ |
| "Resolver.LookupAddr", |
| "Resolver.LookupCNAME", |
| "Resolver.LookupMX", |
| "Resolver.LookupNS", |
| "Resolver.LookupSRV" |
| ] |
| } |
| ] |
| } |
| } |
| ], |
| "references": [ |
| { |
| "type": "FIX", |
| "url": "https://go.dev/cl/320949" |
| }, |
| { |
| "type": "FIX", |
| "url": "https://go.googlesource.com/go/+/c89f1224a544cde464fcb86e78ebb0cc97eedba2" |
| }, |
| { |
| "type": "WEB", |
| "url": "https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI" |
| }, |
| { |
| "type": "REPORT", |
| "url": "https://go.dev/issue/46241" |
| } |
| ] |
| } |
