blob: 4d74d411d97672b8202aecc1b856fc954146482f [file] [log] [blame]
module: github.com/pion/dtls
versions:
- fixed: v1.5.2
description: |
Due to improper verification of packets, unencrypted packets containing
application data are accepted after the initial handshake. This allows
an attacker to inject arbitrary data which the client/server believes
was encrypted, despite not knowing the session key.
published: 2021-04-14T20:04:52Z
cves:
- CVE-2019-20786
ghsas:
- GHSA-7gfg-6934-mqq2
symbols:
- Conn.handleIncomingPacket
derived_symbols:
- Client
- Dial
- Listener.Accept
- Resume
- Server
links:
pr: https://github.com/pion/dtls/pull/128
commit: https://github.com/pion/dtls/commit/fd73a5df2ff0e1fb6ae6a51e2777d7a16cc4f4e0
context:
- https://www.usenix.org/system/files/sec20fall_fiterau-brostean_prepub.pdf