reports/GO-2020-0038.yaml - vulndb - Git at Google

 packages:
   - module: github.com/pion/dtls
     symbols:
       - Conn.handleIncomingPacket
     derived_symbols:
       - Client
       - Dial
       - Listener.Accept
       - Resume
       - Server
     versions:
       - fixed: 1.5.2
 description: |
     Due to improper verification of packets, unencrypted packets containing
     application data are accepted after the initial handshake. This allows
     an attacker to inject arbitrary data which the client/server believes
     was encrypted, despite not knowing the session key.
 published: 2021-04-14T20:04:52Z
 cves:
   - CVE-2019-20786
 ghsas:
   - GHSA-7gfg-6934-mqq2
 links:
     pr: https://github.com/pion/dtls/pull/128
     commit: https://github.com/pion/dtls/commit/fd73a5df2ff0e1fb6ae6a51e2777d7a16cc4f4e0
     context:
       - https://www.usenix.org/system/files/sec20fall_fiterau-brostean_prepub.pdf
	packages:
	- module: github.com/pion/dtls
	symbols:
	- Conn.handleIncomingPacket
	derived_symbols:
	- Client
	- Dial
	- Listener.Accept
	- Resume
	- Server
	versions:
	- fixed: 1.5.2
	description: \|
	Due to improper verification of packets, unencrypted packets containing
	application data are accepted after the initial handshake. This allows
	an attacker to inject arbitrary data which the client/server believes
	was encrypted, despite not knowing the session key.
	published: 2021-04-14T20:04:52Z
	cves:
	- CVE-2019-20786
	ghsas:
	- GHSA-7gfg-6934-mqq2
	links:
	pr: https://github.com/pion/dtls/pull/128
	commit: https://github.com/pion/dtls/commit/fd73a5df2ff0e1fb6ae6a51e2777d7a16cc4f4e0
	context:
	- https://www.usenix.org/system/files/sec20fall_fiterau-brostean_prepub.pdf