data/reports/GO-2022-0462.yaml - vulndb - Git at Google

 modules:
   - module: github.com/pion/dtls/v2
     versions:
       - fixed: 2.1.5
     vulnerable_at: 2.1.4
     packages:
       - package: github.com/pion/dtls/v2
         symbols:
           - flight4Parse
         derived_symbols:
           - Client
           - ClientWithContext
           - Dial
           - DialWithContext
           - Resume
           - Server
           - ServerWithContext
           - handshakeFSM.Run
           - listener.Accept
 description: |
     Client-provided certificates are not correctly validated,
     and must not be trusted.

     DTLS client certificates must be accompanied by proof that the client
     possesses the private key for the certificate. The Pion DTLS server
     accepted client certificates unaccompanied by this proof, permitting
     an attacker to present any certificate and have it accepted as valid.
 published: 2022-07-01T20:07:12Z
 cves:
   - CVE-2022-29222
 ghsas:
   - GHSA-w45j-f832-hxvh
 references:
   - fix: https://github.com/pion/dtls/commit/d2f797183a9f044ce976e6df6f362662ca722412
	modules:
	- module: github.com/pion/dtls/v2
	versions:
	- fixed: 2.1.5
	vulnerable_at: 2.1.4
	packages:
	- package: github.com/pion/dtls/v2
	symbols:
	- flight4Parse
	derived_symbols:
	- Client
	- ClientWithContext
	- Dial
	- DialWithContext
	- Resume
	- Server
	- ServerWithContext
	- handshakeFSM.Run
	- listener.Accept
	description: \|
	Client-provided certificates are not correctly validated,
	and must not be trusted.

	DTLS client certificates must be accompanied by proof that the client
	possesses the private key for the certificate. The Pion DTLS server
	accepted client certificates unaccompanied by this proof, permitting
	an attacker to present any certificate and have it accepted as valid.
	published: 2022-07-01T20:07:12Z
	cves:
	- CVE-2022-29222
	ghsas:
	- GHSA-w45j-f832-hxvh
	references:
	- fix: https://github.com/pion/dtls/commit/d2f797183a9f044ce976e6df6f362662ca722412