| id: GO-2022-1026 |
| modules: |
| - module: github.com/peterzen/goresolver |
| vulnerable_at: 1.0.2 |
| packages: |
| - package: github.com/peterzen/goresolver |
| summary: |- |
| Incorrect validation of root DNSSEC public keys in |
| github.com/peterzen/goresolver |
| description: |- |
| DNSSEC validation is not performed correctly. An attacker can cause this package |
| to report successful validation for invalid, attacker-controlled records. |
| |
| Root DNSSEC public keys are not validated, permitting an attacker to present a |
| self-signed root key and delegation chain. |
| ghsas: |
| - GHSA-jr65-gpj5-cw74 |
| references: |
| - report: https://github.com/peterzen/goresolver/issues/5#issuecomment-1150214257 |
| cve_metadata: |
| id: CVE-2022-3347 |
| cwe: 'CWE 295: Improper Certificate Validation' |
| review_status: REVIEWED |