data/reports/GO-2022-0461.yaml - vulndb - Git at Google

 modules:
   - module: github.com/pion/dtls/v2
     versions:
       - fixed: 2.1.4
     vulnerable_at: 2.1.3
     packages:
       - package: github.com/pion/dtls/v2
         symbols:
           - fragmentBuffer.push
         derived_symbols:
           - Client
           - ClientWithContext
           - Dial
           - DialWithContext
           - Resume
           - Server
           - ServerWithContext
           - handshakeFSM.Run
           - listener.Accept
 description: |
     Attacker can cause unbounded memory consumption.

     The Pion DTLS client and server buffer handshake data with no
     upper limit, permitting an attacker to cause unbounded memory
     consumption by sending an unterminated handshake.
 published: 2022-07-01T20:07:25Z
 cves:
   - CVE-2022-29189
 ghsas:
   - GHSA-cx94-mrg9-rq4j
 references:
   - fix: https://github.com/pion/dtls/commit/a6397ff7282bc56dc37a68ea9211702edb4de1de
	modules:
	- module: github.com/pion/dtls/v2
	versions:
	- fixed: 2.1.4
	vulnerable_at: 2.1.3
	packages:
	- package: github.com/pion/dtls/v2
	symbols:
	- fragmentBuffer.push
	derived_symbols:
	- Client
	- ClientWithContext
	- Dial
	- DialWithContext
	- Resume
	- Server
	- ServerWithContext
	- handshakeFSM.Run
	- listener.Accept
	description: \|
	Attacker can cause unbounded memory consumption.

	The Pion DTLS client and server buffer handshake data with no
	upper limit, permitting an attacker to cause unbounded memory
	consumption by sending an unterminated handshake.
	published: 2022-07-01T20:07:25Z
	cves:
	- CVE-2022-29189
	ghsas:
	- GHSA-cx94-mrg9-rq4j
	references:
	- fix: https://github.com/pion/dtls/commit/a6397ff7282bc56dc37a68ea9211702edb4de1de