Summary | MITM when used without DNSSEC |
---|---|
Date | 2022-04-28 |
CVE Number | CVE-2022-26491 |
Discovered By | moparisthebest |
Fixed In Release | 2.14.9 |
If not using DNSSEC it is trivial to perform a man in the middle attack a client via DNS spoofing. You can find more discussion in the XMPP Standards Archives.
Removed the code that supported the _xmppconnect
DNS TXT record.