{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-3346", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "state": "PUBLISHED", "assignerShortName": "Go", "dateReserved": "2022-09-27T23:06:28.124Z", "datePublished": "2022-12-27T21:17:48.222Z", "dateUpdated": "2024-08-03T01:07:06.519Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2024-01-04T18:08:50.928Z"}, "title": "Incorrect DNSSEC validation due to unchecked owner names in github.com/peterzen/goresolver", "descriptions": [{"lang": "en", "value": "DNSSEC validation is not performed correctly. An attacker can cause this package to report successful validation for invalid, attacker-controlled records. The owner name of RRSIG RRs is not validated, permitting an attacker to present the RRSIG for an attacker-controlled domain in a response for any other domain."}], "affected": [{"vendor": "github.com/peterzen/goresolver", "product": "github.com/peterzen/goresolver", "collectionURL": "https://pkg.go.dev", "packageName": "github.com/peterzen/goresolver", "defaultStatus": "affected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE 347: Improper Verification of Cryptographic Signature"}]}], "references": [{"url": "https://github.com/peterzen/goresolver/issues/5"}, {"url": "https://pkg.go.dev/vuln/GO-2022-0979"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T01:07:06.519Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/peterzen/goresolver/issues/5", "tags": ["x_transferred"]}, {"url": "https://pkg.go.dev/vuln/GO-2022-0979", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:go-resolver_project:go-resolver:-:*:*:*:*:go:*:*", "matchCriteriaId": "13326050-272D-4B2E-9469-839B63614913", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "DNSSEC validation is not performed correctly. An attacker can cause this package to report successful validation for invalid, attacker-controlled records. The owner name of RRSIG RRs is not validated, permitting an attacker to present the RRSIG for an attacker-controlled domain in a response for any other domain."}, {"lang": "es", "value": "La validaci\u00f3n de DNSSEC no se realiza correctamente. Un atacante puede hacer que este paquete informe una validaci\u00f3n exitosa de registros no v\u00e1lidos controlados por el atacante. El nombre del propietario de los RR RRSIG no est\u00e1 validado, lo que permite a un atacante presentar el RRSIG de un dominio controlado por el atacante en una respuesta para cualquier otro dominio."}], "id": "CVE-2022-3346", "lastModified": "2023-01-06T19:12:13.637", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-12-28T03:15:10.140", "references": [{"source": "security@golang.org", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://github.com/peterzen/goresolver/issues/5"}, {"source": "security@golang.org", "tags": ["Vendor Advisory"], "url": "https://pkg.go.dev/vuln/GO-2022-0979"}], "sourceIdentifier": "security@golang.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-345"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}