Vulnerability Report: GO-2021-0239

standard library

CVE-2021-33195
Affects: net
Published: Feb 17, 2022
Modified: May 20, 2024

The LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr functions and their respective methods on the Resolver type may return arbitrary values retrieved from DNS which do not follow the established RFC 1035 rules for domain names. If these names are used without further sanitization, for instance unsafely included in HTML, they may allow for injection of unexpected content. Note that LookupTXT may still return arbitrary values that could require sanitization before further use.

Affected Packages

Path

Go Versions

Symbols
net

before go1.15.13, from go1.16.0-0 before go1.16.5
5 affected symbols

Aliases

CVE-2021-33195

References

https://go.dev/cl/320949
https://go.googlesource.com/go/+/c89f1224a544cde464fcb86e78ebb0cc97eedba2
https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI
https://go.dev/issue/46241
https://vuln.go.dev/ID/GO-2021-0239.json

Credits

Philipp Jeitner, Haya Shulman from Fraunhofer SIT

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL