GMS-2023-257: Pion DTLS is vulnerable to out of bounds read via server hello

February 7, 2023 (updated August 23, 2023)

Impact

When attempting to unmarshal a Server Hello request we could attempt to unmarshal into a buffer that was too small. This could result in a panic leading the program to crash.

This issue could be abused to cause a denial of service.

Workaround

None

References

github.com/advisories/GHSA-hxp2-xqf3-v83h
github.com/pion/dtls/commit/7a14903448b70069fd9e02adf210ca23083c56d2
github.com/pion/dtls/security/advisories/GHSA-hxp2-xqf3-v83h

Code Behaviors & Features

Detect and mitigate GMS-2023-257 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →