CVE-2022-3347 - Vulnerability Details - OpenCVE

DNSSEC validation is not performed correctly. An attacker can cause this package to report successful validation for invalid, attacker-controlled records. Root DNSSEC public keys are not validated, permitting an attacker to present a self-signed root key and delegation chain.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Go-resolver Project	Go-resolver

Configuration 1 [-]

cpe:2.3:a:go-resolver_project:go-resolver:-:*:*:*:*:go:*:*

No data.

References

Link	Providers
https://github.com/peterzen/goresolver/issues/5#issuecomment-1150214257
https://pkg.go.dev/vuln/GO-2022-1026

History

Mon, 14 Apr 2025 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: Go

Published: 2022-12-27T21:17:52.067Z

Updated: 2025-04-14T17:08:49.781Z

Reserved: 2022-09-27T23:33:30.385Z

Link: CVE-2022-3347

Vulnrichment

Updated: 2024-08-03T01:07:06.471Z

NVD

Status : Modified

Published: 2022-12-28T03:15:10.193

Modified: 2025-04-14T18:15:19.670

Link: CVE-2022-3347

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-3347", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "state": "PUBLISHED", "assignerShortName": "Go", "dateReserved": "2022-09-27T23:33:30.385Z", "datePublished": "2022-12-27T21:17:52.067Z", "dateUpdated": "2025-04-14T17:08:49.781Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2024-01-04T18:09:09.414Z"}, "title": "Incorrect validation of root DNSSEC public keys in github.com/peterzen/goresolver", "descriptions": [{"lang": "en", "value": "DNSSEC validation is not performed correctly. An attacker can cause this package to report successful validation for invalid, attacker-controlled records. Root DNSSEC public keys are not validated, permitting an attacker to present a self-signed root key and delegation chain."}], "affected": [{"vendor": "github.com/peterzen/goresolver", "product": "github.com/peterzen/goresolver", "collectionURL": "https://pkg.go.dev", "packageName": "github.com/peterzen/goresolver", "defaultStatus": "affected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE 295: Improper Certificate Validation"}]}], "references": [{"url": "https://github.com/peterzen/goresolver/issues/5#issuecomment-1150214257"}, {"url": "https://pkg.go.dev/vuln/GO-2022-1026"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T01:07:06.471Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/peterzen/goresolver/issues/5#issuecomment-1150214257", "tags": ["x_transferred"]}, {"url": "https://pkg.go.dev/vuln/GO-2022-1026", "tags": ["x_transferred"]}]}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-04-14T17:08:24.435403Z", "id": "CVE-2022-3347", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-14T17:08:49.781Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/peterzen/goresolver/issues/5#issuecomment-1150214257", "tags": ["x_transferred"]}, {"url": "https://pkg.go.dev/vuln/GO-2022-1026", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T01:07:06.471Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2022-3347", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-14T17:08:24.435403Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-14T17:08:42.823Z"}}], "cna": {"title": "Incorrect validation of root DNSSEC public keys in github.com/peterzen/goresolver", "affected": [{"vendor": "github.com/peterzen/goresolver", "product": "github.com/peterzen/goresolver", "packageName": "github.com/peterzen/goresolver", "collectionURL": "https://pkg.go.dev", "defaultStatus": "affected"}], "references": [{"url": "https://github.com/peterzen/goresolver/issues/5#issuecomment-1150214257"}, {"url": "https://pkg.go.dev/vuln/GO-2022-1026"}], "descriptions": [{"lang": "en", "value": "DNSSEC validation is not performed correctly. An attacker can cause this package to report successful validation for invalid, attacker-controlled records. Root DNSSEC public keys are not validated, permitting an attacker to present a self-signed root key and delegation chain."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE 295: Improper Certificate Validation"}]}], "providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2024-01-04T18:09:09.414Z"}}}, "cveMetadata": {"cveId": "CVE-2022-3347", "state": "PUBLISHED", "dateUpdated": "2025-04-14T17:08:49.781Z", "dateReserved": "2022-09-27T23:33:30.385Z", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "datePublished": "2022-12-27T21:17:52.067Z", "assignerShortName": "Go"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:go-resolver_project:go-resolver:-:*:*:*:*:go:*:*", "matchCriteriaId": "13326050-272D-4B2E-9469-839B63614913", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "DNSSEC validation is not performed correctly. An attacker can cause this package to report successful validation for invalid, attacker-controlled records. Root DNSSEC public keys are not validated, permitting an attacker to present a self-signed root key and delegation chain."}, {"lang": "es", "value": "La validaci\u00f3n de DNSSEC no se realiza correctamente. Un atacante puede hacer que este paquete informe una validaci\u00f3n exitosa de registros no v\u00e1lidos controlados por el atacante. Las claves p\u00fablicas DNSSEC ra\u00edz no se validan, lo que permite a un atacante presentar una clave root autofirmada y una cadena de delegaci\u00f3n."}], "id": "CVE-2022-3347", "lastModified": "2025-04-14T18:15:19.670", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2022-12-28T03:15:10.193", "references": [{"source": "security@golang.org", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://github.com/peterzen/goresolver/issues/5#issuecomment-1150214257"}, {"source": "security@golang.org", "tags": ["Vendor Advisory"], "url": "https://pkg.go.dev/vuln/GO-2022-1026"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://github.com/peterzen/goresolver/issues/5#issuecomment-1150214257"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://pkg.go.dev/vuln/GO-2022-1026"}], "sourceIdentifier": "security@golang.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-345"}], "source": "nvd@nist.gov", "type": "Primary"}]}