CVE-2022-24968: 
NixOS vulnerability analysis and mitigation

In Mellium mellium.im/xmpp through 0.21.0, a vulnerability was discovered in the websocket package that could allow an attacker capable of spoofing DNS TXT records to redirect WebSocket connection requests. The vulnerability was assigned CVE-2022-24968 and was discovered in February 2022, affecting versions from 0.18.0 through 0.21.0. The issue was fixed in version 0.21.1 (Mellium Advisory, NVD).

The vulnerability occurs in the TLS configuration of the websocket package. When looking up a WSS endpoint using DNS TXT record method (as described in XEP-0156: Discovering Alternative XMPP Connection Methods), the ServerName field was incorrectly set to the name of the server returned by the TXT record request, instead of the initial server being connected to. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.9 (Medium) with vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N (NVD).

A successful exploitation of this vulnerability could allow an attacker to redirect a WebSocket connection request to a server under their control without causing TLS certificate verification to fail. This could result in a man-in-the-middle (MITM) situation where the attacker could intercept and potentially manipulate XMPP communications (Mellium Advisory).

The vulnerability has been fixed in version 0.21.1 of mellium.im/xmpp. Users are advised to upgrade to this version or later to address the security issue. The fix ensures proper verification of the server name during TLS certificate validation (Mellium Advisory).