Skip to main content

Insufficient Verification of Data Authenticity

CVE-2022-3346

Severity Medium
Score 6.5/10

Summary

DNSSEC validation is not performed correctly in github.com/peterzen/goresolver. An attacker can cause this package to report successful validation for invalid, attacker-controlled records. The owner name of RRSIG RRs is not validated, permitting an attacker to present the RRSIG for an attacker-controlled domain in a response for any other domain. This has the same fix as CVE-2022-3347.

  • LOW
  • NETWORK
  • HIGH
  • UNCHANGED
  • REQUIRED
  • NONE
  • NONE
  • NONE

CWE-345 - Insufficient Verification of Data Authenticity

The software does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Advisory Timeline

  • Published