x/vulndb: add reports/GO-2022-0462.yaml for CVE-2022-29222
Fixes golang/vulndb#0462
Change-Id: I1d5bd28fcfe8567ab24c39deb56e11695aeb6b55
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/414094
Run-TryBot: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
diff --git a/reports/GO-2022-0462.yaml b/reports/GO-2022-0462.yaml
new file mode 100644
index 0000000..d0691c2
--- /dev/null
+++ b/reports/GO-2022-0462.yaml
@@ -0,0 +1,33 @@
+packages:
+ - module: github.com/pion/dtls/v2
+ symbols:
+ - flight4Parse
+ derived_symbols:
+ - Client
+ - ClientWithContext
+ - Dial
+ - DialWithContext
+ - Resume
+ - Server
+ - ServerWithContext
+ - handshakeFSM.Run
+ - listener.Accept
+ versions:
+ - fixed: 2.1.5
+ vulnerable_at: 2.1.4
+description: |
+ Client-provided certificates are not correctly validated,
+ and must not be trusted.
+
+ DTLS client certificates must be accompanied by proof that the client
+ possesses the private key for the certificate. The Pion DTLS server
+ accepted client certificates unaccompanied by this proof, permitting
+ an attacker to present any certificate and have it accepted as valid.
+cves:
+ - CVE-2022-29222
+ghsas:
+ - GHSA-w45j-f832-hxvh
+links:
+ commit: https://github.com/pion/dtls/commit/d2f797183a9f044ce976e6df6f362662ca722412
+ context:
+ - https://github.com/pion/dtls/security/advisories/GHSA-w45j-f832-hxvh