Vulnerability Report: GO-2022-0370

CVE-2022-24968, GHSA-h289-x5wc-xcv8, and 1 more
Affects: mellium.im/xmpp
Published: Jul 29, 2022
Modified: Jun 12, 2023

Websocket client connections are vulnerable to man-in-the-middle attacks via DNS spoofing. When looking up a WSS endpoint using a DNS TXT record, the server TLS certificate is incorrectly validated using the name of the server returned by the TXT record request, not the name of the the server being connected to. This permits any attacker that can spoof a DNS record to redirect the user to a server of their choosing. Providing a *tls.Config with a ServerName field set to the correct destination hostname will avoid this issue.

For detailed information about this vulnerability, visit https://mellium.im/cve/cve-2022-24968/.

Affected Packages

Path

Versions

Symbols
mellium.im/xmpp/websocket

from v0.18.0 before v0.21.1
6 affected symbols

Aliases

CVE-2022-24968
GHSA-h289-x5wc-xcv8
GHSA-m658-p24x-p74r

References

https://mellium.im/cve/cve-2022-24968/
https://github.com/mellium/xmpp/pull/260
https://github.com/mellium/xmpp/commit/0d92aa486da69b71f2f4a30e62aa722c711b98ac
https://mellium.im/issue/259
https://vuln.go.dev/ID/GO-2022-0370.json

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL