GO-2022-0370

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2022-0370

Import Source

https://vuln.go.dev/ID/GO-2022-0370.json

JSON Data

https://api.test.osv.dev/v1/vulns/GO-2022-0370

Aliases

Published

2022-07-29T20:00:14Z

Modified

2024-05-20T16:03:47Z

Summary

Man-in-the-middle attack due to improper validation of certificate in mellium.im/xmpp

Details

Websocket client connections are vulnerable to man-in-the-middle attacks via DNS spoofing.

When looking up a WSS endpoint using a DNS TXT record, the server TLS certificate is incorrectly validated using the name of the server returned by the TXT record request, not the name of the the server being connected to. This permits any attacker that can spoof a DNS record to redirect the user to a server of their choosing.

Providing a *tls.Config with a ServerName field set to the correct destination hostname will avoid this issue.

Database specific

{
    "review_status": "REVIEWED",
    "url": "https://pkg.go.dev/vuln/GO-2022-0370"
}

References

Affected packages

Go / mellium.im/xmpp

Package

Name: mellium.im/xmpp; View open source insights on deps.dev
Purl: pkg:golang/mellium.im/xmpp

Affected ranges

Type: SEMVER
Events: Introduced

0.18.0

Fixed

0.21.1

Ecosystem specific

{
    "imports": [
        {
            "path": "mellium.im/xmpp/websocket",
            "symbols": [
                "Dial",
                "DialDirect",
                "DialSession",
                "Dialer.Dial",
                "Dialer.DialDirect",
                "Dialer.config",
                "NewClient"
            ]
        }
    ]
}