blob: bd67f26eda3c7b16f323d2675bfff9bd25b6013b [file] [log] [blame]
packages:
- module: github.com/pion/webrtc/v3
symbols:
- DTLSTransport.Start
derived_symbols:
- PeerConnection.AddTrack
- PeerConnection.AddTransceiverFromTrack
- PeerConnection.CreateDataChannel
- PeerConnection.RemoveTrack
- PeerConnection.SetLocalDescription
- PeerConnection.SetRemoteDescription
- operations.Done
- operations.Enqueue
versions:
- fixed: 3.0.15
description: |
Due to improper error handling, DTLS connections were not killed when certificate verification
failed, causing users who did not check the connection state to continue to use the connection.
This could allow allow an attacker which holds the ICE password, but not a valid certificate,
to bypass this restriction.
published: 2021-07-28T18:08:05Z
cves:
- CVE-2021-28681
ghsas:
- GHSA-74xm-qj29-cq8p
credit: Gaukas Wang (@Gaukas)
links:
pr: https://github.com/pion/webrtc/pull/1709
commit: https://github.com/pion/webrtc/commit/545613dcdeb5dedb01cce94175f40bcbe045df2e
context:
- https://github.com/pion/webrtc/issues/1708
- https://github.com/advisories/GHSA-74xm-qj29-cq8p