blob: 90b63b222737a4791cd697ad30edd257053957fa [file] [log] [blame]
id: GO-2021-0239
modules:
- module: std
versions:
- fixed: 1.15.13
- introduced: 1.16.0-0
- fixed: 1.16.5
vulnerable_at: 1.16.4
packages:
- package: net
symbols:
- Resolver.LookupAddr
- Resolver.LookupCNAME
- Resolver.LookupMX
- Resolver.LookupNS
- Resolver.LookupSRV
skip_fix: 'TODO: revisit this reason (fix appears to not work with Go <1.18)'
summary: Improper sanitization when resolving values from DNS in net
description: |-
The LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr functions and
their respective methods on the Resolver type may return arbitrary values
retrieved from DNS which do not follow the established RFC 1035 rules for domain
names. If these names are used without further sanitization, for instance
unsafely included in HTML, they may allow for injection of unexpected content.
Note that LookupTXT may still return arbitrary values that could require
sanitization before further use.
published: 2022-02-17T17:33:35Z
cves:
- CVE-2021-33195
credits:
- Philipp Jeitner
- Haya Shulman from Fraunhofer SIT
references:
- fix: https://go.dev/cl/320949
- fix: https://go.googlesource.com/go/+/c89f1224a544cde464fcb86e78ebb0cc97eedba2
- web: https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI
- report: https://go.dev/issue/46241
review_status: REVIEWED