x/vulndb: potential Go vuln in github.com/coredns/coredns: GHSA-h92q-fgpp-qhrq

[GoVulnBot]

Advisory GHSA-h92q-fgpp-qhrq references a vulnerability in the following Go modules:

Module
github.com/coredns/coredns

Description:
CoreDNS through 1.10.1 enables attackers to achieve DNS cache poisoning and inject fake responses via a birthday attack.

References:

• ADVISORY: GHSA-h92q-fgpp-qhrq
• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2023-30464
• WEB: https://gist.github.com/idealeer/e41c7fb3b661d4262d0b6f21e12168ba

Cross references:

• github.com/coredns/coredns appears in 4 other report(s):
  • data/excluded/GO-2023-1606.yaml (x/vulndb: potential Go vuln in github.com/coredns/coredns: GHSA-ch7v-37xg-75ph #1606) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1610.yaml (x/vulndb: potential Go vuln in github.com/coredns/coredns: GHSA-h828-v5pv-33qx #1610) EFFECTIVELY_PRIVATE
  • data/reports/GO-2022-0368.yaml (x/vulndb: potential Go vuln in github.com/coredns/coredns: GHSA-gv9j-4w24-q7vx #368)
  • data/reports/GO-2024-2785.yaml (x/vulndb: potential Go vuln in github.com/coredns/coredns: CVE-2024-0874 #2785)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/coredns/coredns
      vulnerable_at: 1.11.3
summary: CoreDNS Cache Poisoning via a birthday attack in github.com/coredns/coredns
cves:
    - CVE-2023-30464
ghsas:
    - GHSA-h92q-fgpp-qhrq
references:
    - advisory: https://github.com/advisories/GHSA-h92q-fgpp-qhrq
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-30464
    - web: https://gist.github.com/idealeer/e41c7fb3b661d4262d0b6f21e12168ba
source:
    id: GHSA-h92q-fgpp-qhrq
    created: 2024-09-18T23:01:25.16426641Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/614081 mentions this issue: data/reports: add GO-2024-3134