CVE-2022-29222: Improper Certificate Validation

May 25, 2022 (updated February 15, 2023)

Pion DTLS is a Go implementation of Datagram Transport Layer Security. Prior to version 2.1.5, a DTLS Client could provide a Certificate that it does not posses the private key for and Pion DTLS wouldn’t reject it. This issue affects users that are using Client certificates only. The connection itself is still secure. The Certificate provided by clients can’t be trusted when using a Pion DTLS server prior to version 2.1.5. Users should upgrade to version 2.1.5 to receive a patch. There are currently no known workarounds.

References

github.com/advisories/GHSA-w45j-f832-hxvh
github.com/pion/dtls/commit/d2f797183a9f044ce976e6df6f362662ca722412
github.com/pion/dtls/releases/tag/v2.1.5
github.com/pion/dtls/security/advisories/GHSA-w45j-f832-hxvh
nvd.nist.gov/vuln/detail/CVE-2022-29222
pkg.go.dev/vuln/GO-2022-0462

Detect and mitigate CVE-2022-29222 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →