Lucene search

GoogleOSV:GO-2022-0461

HistoryJul 01, 2022 - 8:07 p.m.

Unbounded memory consumption in github.com/pion/dtls/v2

2022-07-0120:07:25

Google

osv.dev

pion dtls

unbounded memory

attacker

handshake

github

software

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS

0.004

Percentile

74.6%

JSON

Attacker can cause unbounded memory consumption.

The Pion DTLS client and server buffer handshake data with no upper limit, permitting an attacker to cause unbounded memory consumption by sending an unterminated handshake.

References

github.com/pion/dtls/commit/a6397ff7282bc56dc37a68ea9211702edb4de1de

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS

0.004

Percentile

74.6%

JSON

Related for OSV:GO-2022-0461