CVE-2022-24968

Description

Websocket client connections are vulnerable to man-in-the-middle attacks via DNS spoofing. When looking up a WSS endpoint using a DNS TXT record, the server TLS certificate is incorrectly validated using the name of the server returned by the TXT record request, not the name of the the server being connected to. This permits any attacker that can spoof a DNS record to redirect the user to a server of their choosing. Providing a *tls.Config with a ServerName field set to the correct destination hostname will avoid this issue.

How to fix CVE-2022-24968

To remediate CVE-2022-24968, upgrade the affected package to a fixed version below.

• —upgrade to 0.21.1 or later
• —upgrade to 0.21.1 or later
• —upgrade to 0.21.1 or later

Is CVE-2022-24968 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

• >= 0.18.0, < 0.21.1
• >= 0.18.0, < 0.21.1
• >= 0.18.0, < 0.21.1

CVSS scores

References (10)

• ADVISORYmellium.im/cve/cve-2022-24968/
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-24968
• PATCHgithub.com/mellium/xmpp
• WEBgithub.com/mellium/xmpp/commit/0d92aa486da69b71f2f4a30e62aa722c711b98ac
• WEB