| { |
| "schema_version": "1.3.1", |
| "id": "GO-2022-0462", |
| "modified": "0001-01-01T00:00:00Z", |
| "published": "2022-07-01T20:07:12Z", |
| "aliases": [ |
| "CVE-2022-29222", |
| "GHSA-w45j-f832-hxvh" |
| ], |
| "summary": "Improper validation of client certificates in github.com/pion/dtls/v2", |
| "details": "Client-provided certificates are not correctly validated, and must not be trusted.\n\nDTLS client certificates must be accompanied by proof that the client possesses the private key for the certificate. The Pion DTLS server accepted client certificates unaccompanied by this proof, permitting an attacker to present any certificate and have it accepted as valid.", |
| "affected": [ |
| { |
| "package": { |
| "name": "github.com/pion/dtls/v2", |
| "ecosystem": "Go" |
| }, |
| "ranges": [ |
| { |
| "type": "SEMVER", |
| "events": [ |
| { |
| "introduced": "0" |
| }, |
| { |
| "fixed": "2.1.5" |
| } |
| ] |
| } |
| ], |
| "ecosystem_specific": { |
| "imports": [ |
| { |
| "path": "github.com/pion/dtls/v2", |
| "symbols": [ |
| "Client", |
| "ClientWithContext", |
| "Dial", |
| "DialWithContext", |
| "Resume", |
| "Server", |
| "ServerWithContext", |
| "flight4Parse", |
| "handshakeFSM.Run", |
| "listener.Accept" |
| ] |
| } |
| ] |
| } |
| } |
| ], |
| "references": [ |
| { |
| "type": "FIX", |
| "url": "https://github.com/pion/dtls/commit/d2f797183a9f044ce976e6df6f362662ca722412" |
| } |
| ], |
| "database_specific": { |
| "url": "https://pkg.go.dev/vuln/GO-2022-0462" |
| } |
| } |