data/reports/GO-2020-0038.yaml - vulndb - Git at Google

 modules:
   - module: github.com/pion/dtls
     versions:
       - fixed: 1.5.2
     vulnerable_at: 1.5.1
     packages:
       - package: github.com/pion/dtls
         symbols:
           - Conn.handleIncomingPacket
         derived_symbols:
           - Client
           - Dial
           - Listener.Accept
           - Resume
           - Server
 description: |
     Due to improper verification of packets, unencrypted packets containing
     application data are accepted after the initial handshake. This allows
     an attacker to inject arbitrary data which the client/server believes
     was encrypted, despite not knowing the session key.
 published: 2021-04-14T20:04:52Z
 cves:
   - CVE-2019-20786
 ghsas:
   - GHSA-7gfg-6934-mqq2
 references:
   - fix: https://github.com/pion/dtls/pull/128
   - fix: https://github.com/pion/dtls/commit/fd73a5df2ff0e1fb6ae6a51e2777d7a16cc4f4e0
   - web: https://www.usenix.org/system/files/sec20fall_fiterau-brostean_prepub.pdf
	modules:
	- module: github.com/pion/dtls
	versions:
	- fixed: 1.5.2
	vulnerable_at: 1.5.1
	packages:
	- package: github.com/pion/dtls
	symbols:
	- Conn.handleIncomingPacket
	derived_symbols:
	- Client
	- Dial
	- Listener.Accept
	- Resume
	- Server
	description: \|
	Due to improper verification of packets, unencrypted packets containing
	application data are accepted after the initial handshake. This allows
	an attacker to inject arbitrary data which the client/server believes
	was encrypted, despite not knowing the session key.
	published: 2021-04-14T20:04:52Z
	cves:
	- CVE-2019-20786
	ghsas:
	- GHSA-7gfg-6934-mqq2
	references:
	- fix: https://github.com/pion/dtls/pull/128
	- fix: https://github.com/pion/dtls/commit/fd73a5df2ff0e1fb6ae6a51e2777d7a16cc4f4e0
	- web: https://www.usenix.org/system/files/sec20fall_fiterau-brostean_prepub.pdf