CVE-2022-22846: dnslib has DNS reply verification issue

January 12, 2022 (updated September 18, 2024)

The dnslib package through 0.9.16 for Python does not verify that the ID value in a DNS reply matches an ID value in a query.

References

github.com/advisories/GHSA-r478-c2pc-m7gx
github.com/paulc/dnslib
github.com/paulc/dnslib/commit/76e8677699ed098387d502c57980f58da642aeba
github.com/paulc/dnslib/issues/30
github.com/pypa/advisory-database/tree/main/vulns/dnslib/PYSEC-2022-4.yaml
nvd.nist.gov/vuln/detail/CVE-2022-22846

Detect and mitigate CVE-2022-22846 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →