-
Notifications
You must be signed in to change notification settings - Fork 85
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Client does not validate DNS transaction id #30
Comments
This issue appears to have been assigned a CVE, CVE-2022-22846. |
Thanks - as you note client.py is for testing but should clearly check TXIDs. I've also added a note in the README to ensure that TXID is validated. I've updated and released a new version on PyPi. The CVE seems a bit ridiculous - sounds like someone just generating random CVEs to look good on a resume (it isn't actually accurate as it is not a library function - dnslib just parses the packets) |
Hi,
dnslib client does not validate DNS transaction id (TXID) as specified in the RFC.
This considered as implementation bug. Attackers can use this to redirect users to their malicious name servers.
I know the client created for testing but other projects using dnslib as a dependency might be affected as well.
I suggest to add a simple validate:
The text was updated successfully, but these errors were encountered: