CVE-2022-24968
MEDIUMmellium/xmpp 0.18.0-0.21.0 - Improper Certificate Validation via DNS TXT Record Spoofing
Title source: llmDescription
In Mellium mellium.im/xmpp through 0.21.0, an attacker capable of spoofing DNS TXT records can redirect a WebSocket connection request to a server under their control without causing TLS certificate verification to fail. This occurs because the wrong host name is selected during this verification.
References (2)
Core 2
Core References
Product, Vendor Advisory x_refsource_misc
https://mellium.im/xmpp/
Vendor Advisory x_refsource_misc
https://mellium.im/cve/cve-2022-24968/
Scores
CVSS v3
5.9
EPSS
0.0062
EPSS Percentile
44.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-295
Status
published
Products (2)
mellium/xmpp
0.18.0 - 0.21.1
mellium.im/xmpp
0.18.0 - 0.21.1Go
Published
Feb 11, 2022
Tracked Since
Feb 18, 2026