commit b5f6da87e089be2ab81dcd76e007d767d04448e2
author Damien Neil <dneil@google.com> Fri Jun 24 16:08:32 2022 -0700
committer Damien Neil <dneil@google.com> Fri Jul 01 20:07:12 2022 +0000
tree d0a15abe8bb9c7ec1a217ed7ebb0f1d4d02d85a8
parent a7552e69decddf55b8db00acb502fe810d3d0f61

x/vulndb: add reports/GO-2022-0462.yaml for CVE-2022-29222

Fixes golang/vulndb#0462

Change-Id: I1d5bd28fcfe8567ab24c39deb56e11695aeb6b55
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/414094
Run-TryBot: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>

reports/GO-2022-0462.yaml

diff --git a/reports/GO-2022-0462.yaml b/reports/GO-2022-0462.yaml
new file mode 100644
index 0000000..d0691c2
--- /dev/null
+++ b/reports/GO-2022-0462.yaml
@@ -0,0 +1,33 @@
+packages:
+  - module: github.com/pion/dtls/v2
+    symbols:
+      - flight4Parse
+    derived_symbols:
+      - Client
+      - ClientWithContext
+      - Dial
+      - DialWithContext
+      - Resume
+      - Server
+      - ServerWithContext
+      - handshakeFSM.Run
+      - listener.Accept
+    versions:
+      - fixed: 2.1.5
+    vulnerable_at: 2.1.4
+description: |
+    Client-provided certificates are not correctly validated,
+    and must not be trusted.
+
+    DTLS client certificates must be accompanied by proof that the client
+    possesses the private key for the certificate. The Pion DTLS server
+    accepted client certificates unaccompanied by this proof, permitting
+    an attacker to present any certificate and have it accepted as valid.
+cves:
+  - CVE-2022-29222
+ghsas:
+  - GHSA-w45j-f832-hxvh
+links:
+    commit: https://github.com/pion/dtls/commit/d2f797183a9f044ce976e6df6f362662ca722412
+    context:
+      - https://github.com/pion/dtls/security/advisories/GHSA-w45j-f832-hxvh