blob: 6b32dcd112fe5fb820977327279f71bfc5acb975 [file] [log] [blame]
id: GO-2022-0462
modules:
- module: github.com/pion/dtls/v2
versions:
- fixed: 2.1.5
vulnerable_at: 2.1.4
packages:
- package: github.com/pion/dtls/v2
symbols:
- flight4Parse
derived_symbols:
- Client
- ClientWithContext
- Dial
- DialWithContext
- Resume
- Server
- ServerWithContext
- handshakeFSM.Run
- listener.Accept
summary: Improper validation of client certificates in github.com/pion/dtls/v2
description: |-
Client-provided certificates are not correctly validated, and must not be
trusted.
DTLS client certificates must be accompanied by proof that the client possesses
the private key for the certificate. The Pion DTLS server accepted client
certificates unaccompanied by this proof, permitting an attacker to present any
certificate and have it accepted as valid.
published: 2022-07-01T20:07:12Z
cves:
- CVE-2022-29222
ghsas:
- GHSA-w45j-f832-hxvh
references:
- fix: https://github.com/pion/dtls/commit/d2f797183a9f044ce976e6df6f362662ca722412
review_status: REVIEWED