{"id":"CVE-2022-24968","details":"In Mellium mellium.im/xmpp through 0.21.0, an attacker capable of spoofing DNS TXT records can redirect a WebSocket connection request to a server under their control without causing TLS certificate verification to fail. This occurs because the wrong host name is selected during this verification.","aliases":["GHSA-h289-x5wc-xcv8","GHSA-m658-p24x-p74r","GO-2022-0370"],"modified":"2026-05-28T04:07:33.381417260Z","published":"2022-02-11T18:16:54Z","database_specific":{"unresolved_ranges":[{"extracted_events":[{"fixed":"0.21.0"}],"source":"DESCRIPTION"}],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/24xxx/CVE-2022-24968.json","cna_assigner":"mitre"},"references":[{"type":"WEB","url":"https://mellium.im/cve/cve-2022-24968/"},{"type":"WEB","url":"https://mellium.im/xmpp/"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/24xxx/CVE-2022-24968.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24968"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/mellium/xmpp","events":[{"introduced":"a7ac61e4ef7ef587df5c398f4deba3dd024084b4"},{"fixed":"7113e3f879ca80d2dd50438645e67bb874d8bca7"}],"database_specific":{"extracted_events":[{"introduced":"0.18.0"},{"fixed":"0.21.1"}],"source":"CPE_RANGE","cpe":"cpe:2.3:a:mellium:xmpp:*:*:*:*:*:*:*:*"}}],"versions":["v0.21.0","v0.20.0","v0.19.0","v0.18.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-24968.json"}}],"schema_version":"1.7.5"}