blob: 30e90ec554bca5cebb9a821f8886d9e166afa617 [file] [log] [blame]
{
"schema_version": "1.3.1",
"id": "GO-2021-0104",
"modified": "0001-01-01T00:00:00Z",
"published": "2021-07-28T18:08:05Z",
"aliases": [
"CVE-2021-28681",
"GHSA-74xm-qj29-cq8p"
],
"summary": "Authorization bypass in github.com/pion/webrtc/v3",
"details": "Due to improper error handling, DTLS connections were not killed when certificate verification failed, causing users who did not check the connection state to continue to use the connection. This could allow allow an attacker which holds the ICE password, but not a valid certificate, to bypass this restriction.",
"affected": [
{
"package": {
"name": "github.com/pion/webrtc/v3",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.15"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/pion/webrtc/v3",
"symbols": [
"DTLSTransport.Start",
"PeerConnection.AddTrack",
"PeerConnection.AddTransceiverFromKind",
"PeerConnection.AddTransceiverFromTrack",
"PeerConnection.CreateDataChannel",
"PeerConnection.RemoveTrack",
"PeerConnection.SetLocalDescription",
"PeerConnection.SetRemoteDescription",
"operations.Done",
"operations.Enqueue"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/pion/webrtc/pull/1709"
},
{
"type": "FIX",
"url": "https://github.com/pion/webrtc/commit/545613dcdeb5dedb01cce94175f40bcbe045df2e"
},
{
"type": "WEB",
"url": "https://github.com/pion/webrtc/issues/1708"
}
],
"credits": [
{
"name": "Gaukas Wang (@Gaukas)"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2021-0104",
"review_status": "REVIEWED"
}
}