blob: edafdd5e12606b12412d59f4d47ed12f81bcb046 [file] [log] [blame]
id: GO-2020-0038
modules:
- module: github.com/pion/dtls
versions:
- fixed: 1.5.2
vulnerable_at: 1.5.1
packages:
- package: github.com/pion/dtls
symbols:
- Conn.handleIncomingPacket
derived_symbols:
- Client
- Dial
- Listener.Accept
- Resume
- Server
summary: Improper authentication in github.com/pion/dtls
description: |-
Due to improper verification of packets, unencrypted packets containing
application data are accepted after the initial handshake. This allows an
attacker to inject arbitrary data which the client/server believes was
encrypted, despite not knowing the session key.
published: 2021-04-14T20:04:52Z
cves:
- CVE-2019-20786
ghsas:
- GHSA-7gfg-6934-mqq2
references:
- fix: https://github.com/pion/dtls/pull/128
- fix: https://github.com/pion/dtls/commit/fd73a5df2ff0e1fb6ae6a51e2777d7a16cc4f4e0
- web: https://www.usenix.org/system/files/sec20fall_fiterau-brostean_prepub.pdf
review_status: REVIEWED