CVE-2021-33195

Name of the Vulnerable Software and Affected Versions Go versions 1.15.x before 1.15.13 Go versions 1.16.x before 1.16.5

Description The issue is related to the DNS lookup functions in the Go programming language, which do not properly validate replies from DNS servers. This can lead to the return of unsafe injections, such as XSS, that do not conform to the RFC1035 format. The vulnerability allows a remote attacker to access confidential data, compromise its integrity, and cause a denial of service. The affected functions include LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr, which may return arbitrary values retrieved from DNS that do not follow established rules for domain names. If these names are used without further sanitization, they may allow for injection of unexpected content.

Recommendations For Go versions 1.15.x before 1.15.13, update to version 1.15.13 or later to resolve the issue. For Go versions 1.16.x before 1.16.5, update to version 1.16.5 or later to resolve the issue. As a temporary workaround, consider sanitizing the output of the LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr functions to prevent injection of unexpected content.