Uncontrolled Resource Consumption ('Resource Exhaustion') Affecting github.com/coredns/coredns/plugin/pkg/proxy package, versions <1.11.0


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.05% (19th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Uncontrolled Resource Consumption ('Resource Exhaustion') vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-GOLANG-GITHUBCOMCOREDNSCOREDNSPLUGINPKGPROXY-8056486
  • published19 Sept 2024
  • disclosed18 Sept 2024
  • creditXiang Li

Introduced: 18 Sep 2024

CVE-2023-28452  (opens in a new tab)
CWE-400  (opens in a new tab)

How to fix?

Upgrade github.com/coredns/coredns/plugin/pkg/proxy to version 1.11.0 or higher.

Overview

github.com/coredns/coredns/plugin/pkg/proxy is a package that implements a forwarding proxy. It caches an upstream net.Conn for some time, so if the same client returns the upstream's Conn will be precached.

Affected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') through the DNS resolving process. An attacker can disrupt normal DNS resolution by forging a response targeting the source port of a vulnerable resolver without the need to guess the correct TXID.

CVSS Scores

version 4.0
version 3.1