| id: GO-2022-0461 |
| modules: |
| - module: github.com/pion/dtls/v2 |
| versions: |
| - fixed: 2.1.4 |
| vulnerable_at: 2.1.3 |
| packages: |
| - package: github.com/pion/dtls/v2 |
| symbols: |
| - fragmentBuffer.push |
| derived_symbols: |
| - Client |
| - ClientWithContext |
| - Dial |
| - DialWithContext |
| - Resume |
| - Server |
| - ServerWithContext |
| - handshakeFSM.Run |
| - listener.Accept |
| summary: Unbounded memory consumption in github.com/pion/dtls/v2 |
| description: |- |
| Attacker can cause unbounded memory consumption. |
| |
| The Pion DTLS client and server buffer handshake data with no upper limit, |
| permitting an attacker to cause unbounded memory consumption by sending an |
| unterminated handshake. |
| published: 2022-07-01T20:07:25Z |
| cves: |
| - CVE-2022-29189 |
| ghsas: |
| - GHSA-cx94-mrg9-rq4j |
| references: |
| - fix: https://github.com/pion/dtls/commit/a6397ff7282bc56dc37a68ea9211702edb4de1de |
| review_status: REVIEWED |