Miggo Logo
Miggo Vulnerability Database
CVE-2022-3347

CVE-2022-3347: go-resolver's DNSSEC validation not performed correctly

7.7

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-3347
GHSA ID
GHSA-jr65-gpj5-cw74
EPSS Score
0.25798%
CWE
CWE-345
Published
12/28/2022
Updated
1/23/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/peterzen/goresolvergo<= 1.0.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two core issues: 1) Missing verification that RRSIG signer names match the queried domain (as explicitly described in GitHub issue #5), and 2) Lack of root key validation. While exact function names aren't provided in available sources, the DNSSEC validation workflow would inherently require these checks in its signature verification and trust chain validation routines. The high confidence comes from multiple independent sources (NVD, GitHub Advisory, issue tracker) consistently describing these specific validation failures as the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*o-r*solv*r's *NSS** v*li**tion is not p*r*orm** *orr**tly. *n *tt**k*r **n **us* t*is p**k*** to r*port su***ss*ul v*li**tion *or inv*li*, *tt**k*r-*ontroll** r**or*s. Root *NSS** pu*li* k*ys *r* not v*li**t**, p*rmittin* *n *tt**k*r to pr*s*nt * s*

Reasoning

T** vuln*r**ility st*ms *rom two *or* issu*s: *) Missin* v*ri*i**tion t**t RRSI* si*n*r n*m*s m*t** t** qu*ri** *om*in (*s *xpli*itly **s*ri*** in `*it*u*` issu* #*), *n* *) L**k o* root k*y v*li**tion. W*il* *x**t `*un*tion` n*m*s *r*n't provi*** in