CVE-2022-29222: Improper Certificate Validation
Pion DTLS is a Go implementation of Datagram Transport Layer Security. Prior to version 2.1.5, a DTLS Client could provide a Certificate that it does not posses the private key for and Pion DTLS wouldn’t reject it. This issue affects users that are using Client certificates only. The connection itself is still secure. The Certificate provided by clients can’t be trusted when using a Pion DTLS server prior to version 2.1.5. Users should upgrade to version 2.1.5 to receive a patch. There are currently no known workarounds.
References
Detect and mitigate CVE-2022-29222 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →