Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/coredns/coredns: GHSA-hfmw-7g3m-gj6q #3130

Closed
GoVulnBot opened this issue Sep 18, 2024 · 1 comment
Closed

x/vulndb: potential Go vuln in github.com/coredns/coredns: GHSA-hfmw-7g3m-gj6q #3130

GoVulnBot opened this issue Sep 18, 2024 · 1 comment
Assignees
@zpavlinovic
Labels
triaged

Comments

@GoVulnBot
Copy link

Advisory GHSA-hfmw-7g3m-gj6q references a vulnerability in the following Go modules:

Module
github.com/coredns/coredns

Description:
An issue was discovered in CoreDNS through 1.10.1. There is a vulnerability in DNS resolving software, which triggers a resolver to ignore valid responses, thus causing denial of service for normal resolution. In an exploit, the attacker could just forge a response targeting the source port of a vulnerable resolver without the need to guess the correct TXID.

References:

Cross references:

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/coredns/coredns
      versions:
        - fixed: 1.11.0
      vulnerable_at: 1.10.1
summary: CoreDNS vulnerable to TuDoor Attacks in github.com/coredns/coredns
cves:
    - CVE-2023-28452
ghsas:
    - GHSA-hfmw-7g3m-gj6q
references:
    - advisory: https://github.com/advisories/GHSA-hfmw-7g3m-gj6q
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-28452
    - fix: https://github.com/coredns/coredns/commit/604a902e2c7e0317aecaa3666124079c75a31573
    - web: https://coredns.io
    - web: https://gist.github.com/idealeer/e41c7fb3b661d4262d0b6f21e12168ba
source:
    id: GHSA-hfmw-7g3m-gj6q
    created: 2024-09-18T18:01:26.001179285Z
review_status: UNREVIEWED
@zpavlinovic zpavlinovic self-assigned this Sep 19, 2024
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/614078 mentions this issue: data/reports: add GO-2024-3130

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@zpavlinovic zpavlinovic

Labels
triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@zpavlinovic @gopherbot @GoVulnBot