| { |
| "id": "GO-2022-0370", |
| "published": "2022-07-29T20:00:14Z", |
| "modified": "0001-01-01T00:00:00Z", |
| "aliases": [ |
| "CVE-2022-24968", |
| "GHSA-h289-x5wc-xcv8", |
| "GHSA-m658-p24x-p74r" |
| ], |
| "details": "Websocket client connections are vulnerable to man-in-the-middle\nattacks via DNS spoofing.\n\nWhen looking up a WSS endpoint using a DNS TXT record, the server\nTLS certificate is incorrectly validated using the name of the\nserver returned by the TXT record request, not the name of the\nthe server being connected to. This permits any attacker that\ncan spoof a DNS record to redirect the user to a server of their\nchoosing.\n\nProviding a *tls.Config with a ServerName field set to the\ncorrect destination hostname will avoid this issue.\n", |
| "affected": [ |
| { |
| "package": { |
| "name": "mellium.im/xmpp", |
| "ecosystem": "Go" |
| }, |
| "ranges": [ |
| { |
| "type": "SEMVER", |
| "events": [ |
| { |
| "introduced": "0.18.0" |
| }, |
| { |
| "fixed": "0.21.1" |
| } |
| ] |
| } |
| ], |
| "database_specific": { |
| "url": "https://pkg.go.dev/vuln/GO-2022-0370" |
| }, |
| "ecosystem_specific": { |
| "imports": [ |
| { |
| "path": "mellium.im/xmpp/websocket", |
| "symbols": [ |
| "Dial", |
| "DialDirect", |
| "DialSession", |
| "Dialer.Dial", |
| "Dialer.DialDirect", |
| "Dialer.config", |
| "NewClient" |
| ] |
| } |
| ] |
| } |
| } |
| ], |
| "references": [ |
| { |
| "type": "ADVISORY", |
| "url": "https://mellium.im/cve/cve-2022-24968/" |
| }, |
| { |
| "type": "FIX", |
| "url": "https://github.com/mellium/xmpp/pull/260" |
| }, |
| { |
| "type": "FIX", |
| "url": "https://github.com/mellium/xmpp/commit/0d92aa486da69b71f2f4a30e62aa722c711b98ac" |
| }, |
| { |
| "type": "REPORT", |
| "url": "https://mellium.im/issue/259" |
| } |
| ] |
| } |
