blob: 153fcd9303eef803af46bb0f4d838a9b0aa4ec56 [file] [log] [blame]
id: GO-2024-2824
modules:
- module: std
versions:
- introduced: 1.22.0-0
- fixed: 1.22.3
vulnerable_at: 1.22.2
packages:
- package: net
symbols:
- extractExtendedRCode
derived_symbols:
- Dial
- DialTimeout
- Dialer.Dial
- Dialer.DialContext
- Listen
- ListenConfig.Listen
- ListenConfig.ListenPacket
- ListenPacket
- LookupAddr
- LookupCNAME
- LookupHost
- LookupIP
- LookupMX
- LookupNS
- LookupSRV
- LookupTXT
- ResolveIPAddr
- ResolveTCPAddr
- ResolveUDPAddr
- Resolver.LookupAddr
- Resolver.LookupCNAME
- Resolver.LookupHost
- Resolver.LookupIP
- Resolver.LookupIPAddr
- Resolver.LookupMX
- Resolver.LookupNS
- Resolver.LookupNetIP
- Resolver.LookupSRV
- Resolver.LookupTXT
summary: Malformed DNS message can cause infinite loop in net
description: |-
A malformed DNS message in response to a query can cause the Lookup functions to
get stuck in an infinite loop.
credits:
- '@long-name-let-people-remember-you'
- Mateusz Poliwczak
references:
- report: https://go.dev/issue/66754
- fix: https://go.dev/cl/578375
- web: https://groups.google.com/g/golang-announce/c/wkkO4P9stm0
cve_metadata:
id: CVE-2024-24788
cwe: 'CWE 400: Uncontrolled Resource Consumption'
references:
- http://www.openwall.com/lists/oss-security/2024/05/08/3
- https://security.netapp.com/advisory/ntap-20240605-0002/
- https://security.netapp.com/advisory/ntap-20240614-0001/
source:
id: go-security-team
created: 2024-05-07T16:56:31.886878-04:00
review_status: REVIEWED