mellium.im / cve / cve-2022-24968
CVE-2022-24968
- Affected components:
- mellium.im/xmpp/websocket
- Affected versions:
- v0.18.0
- v0.19.0
- v0.20.0
- v0.21.0
- Fixed in:
- v0.21.1
- Assigned CVE:
- CVE-2022-24968
If no TLS configuration is provided by the user, the websocket package
constructs its own TLS configuration using recommended defaults.
When looking up a WSS endpoint using the DNS TXT record method described in
XEP-0156: Discovering Alternative XMPP Connection Methods the
ServerName field was incorrectly being set to the name of the server returned by
the TXT record request, not the name of the initial server we were attempting to
connect to. This means that any attacker that can spoof a DNS record (ie. in the
absence of DNSSEC, DNS-over-TLS, DNS-over-HTTPS, or similar technologies) could
redirect the user to a server of their choosing and as long as it had a valid
TLS certificate for itself the connection would succeed, resulting in a MITM
situation.
For more information see this email to the XSF standards list.
Thanks to Travis Burtrum for the initial report.