GHSA-mmwx-rj87-vfgr: DNSJava affected by KeyTrap - NSEC3 closest encloser proof can exhaust CPU resources

July 22, 2024 (updated November 18, 2024)

Users using the ValidatingResolver for DNSSEC validation can run into CPU exhaustion with specially crafted DNSSEC-signed zones.

References

github.com/advisories/GHSA-mmwx-rj87-vfgr
github.com/advisories/GHSA-pv4h-p8jr-6cv2
github.com/dnsjava/dnsjava
github.com/dnsjava/dnsjava/commit/711af79be3214f52daa5c846b95766dc0a075116
github.com/dnsjava/dnsjava/security/advisories/GHSA-mmwx-rj87-vfgr
nvd.nist.gov/vuln/detail/CVE-2023-50868

Code Behaviors & Features

Detect and mitigate GHSA-mmwx-rj87-vfgr with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →