{"id":"GO-2022-0947","details":"In Mellium mellium.im/xmpp, an attacker capable of spoofing DNS TXT records\ncan redirect a WebSocket connection request to a server under their control\nwithout causing TLS certificate verification to fail. This occurs because\nthe wrong host name is selected during verification.\n","modified":"2022-08-29T16:50:59Z","published":"2022-08-22T17:20:29Z","withdrawn":"2024-05-15T05:37:10.715008Z","references":[{"type":"FIX","url":"https://codeberg.org/mellium/xmpp/pulls/260"},{"type":"FIX","url":"https://codeberg.org/mellium/xmpp/commit/0d92aa486da69b71f2f4a30e62aa722c711b98ac"},{"type":"WEB","url":"https://mellium.im/cve/cve-2022-24968/"},{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24968"},{"type":"REPORT","url":"https://mellium.im/issue/259"}],"affected":[{"package":{"name":"mellium.im/xmpp","ecosystem":"Go","purl":"pkg:golang/mellium.im/xmpp"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.18.0"},{"fixed":"0.21.1"}]}],"ecosystem_specific":{"imports":[{"path":"mellium.im/xmpp/websocket","symbols":["Dial","DialDirect","DialSession","Dialer.Dial","Dialer.DialDirect","Dialer.config","NewClient"]}]},"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2022-0947","source":"https://vuln.go.dev/ID/GO-2022-0947.json"}}],"schema_version":"1.7.3"}