GO-2022-0462

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2022-0462

Import Source

https://vuln.go.dev/ID/GO-2022-0462.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2022-0462

Aliases

Published

2022-07-01T20:07:12Z

Modified

2024-05-20T16:03:47Z

Summary

Improper validation of client certificates in github.com/pion/dtls/v2

Details

Client-provided certificates are not correctly validated, and must not be trusted.

DTLS client certificates must be accompanied by proof that the client possesses the private key for the certificate. The Pion DTLS server accepted client certificates unaccompanied by this proof, permitting an attacker to present any certificate and have it accepted as valid.

Database specific

{
    "review_status": "REVIEWED",
    "url": "https://pkg.go.dev/vuln/GO-2022-0462"
}

References

https://github.com/pion/dtls/commit/d2f797183a9f044ce976e6df6f362662ca722412

Affected packages

Go / github.com/pion/dtls/v2

Package

Name: github.com/pion/dtls/v2; View open source insights on deps.dev
Purl: pkg:golang/github.com/pion/dtls/v2

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.1.5

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/pion/dtls/v2",
            "symbols": [
                "Client",
                "ClientWithContext",
                "Dial",
                "DialWithContext",
                "Resume",
                "Server",
                "ServerWithContext",
                "flight4Parse",
                "handshakeFSM.Run",
                "listener.Accept"
            ]
        }
    ]
}