CVE-2021-28681 – github.com/pion/webrtc/v3

Package

Manager: go
Name: github.com/pion/webrtc/v3
Vulnerable Version: >=0 <3.0.15

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.001 pctl0.2828

Details

In github.com/pion/webrtc, failed DTLS certificate verification doesn't stop data channel communication ### Impact Data channel communication was incorrectly allowed with users who have failed DTLS certificate verification. This attack requires * Attacker knows the ICE password. * Only take place during PeerConnection handshake. This attack can be detected by monitoring `PeerConnectionState` in all versions of Pion WebRTC. ### Patches Users should upgrade to v3.0.15. The exact patch is https://github.com/pion/webrtc/commit/545613dcdeb5dedb01cce94175f40bcbe045df2e ### Workarounds Users should listen for when `PeerConnectionState` changes to `PeerConnectionStateFailed`. When it enters this state users should not continue using the PeerConnection. ### For more information If you have any questions or comments about this advisory: * Open an issue in https://github.com/pion/webrtc * Email us at [team@pion.ly](mailto:team@pion.ly) Thank you to https://github.com/Gaukas for discovering this.

Metadata

Created: 2021-05-25T18:42:42Z
Modified: 2024-05-20T19:56:37Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-74xm-qj29-cq8p/GHSA-74xm-qj29-cq8p.json
CWE IDs: ["CWE-863"]
Alternative ID: GHSA-74xm-qj29-cq8p
Finding: F006
Auto approve: 1