5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
0.001 Low
EPSS
Percentile
38.8%
Data channel communication was incorrectly allowed with users who have failed DTLS certificate verification.
This attack requires
This attack can be detected by monitoring PeerConnectionState
in all versions of Pion WebRTC.
Users should upgrade to v3.0.15.
The exact patch is https://github.com/pion/webrtc/commit/545613dcdeb5dedb01cce94175f40bcbe045df2e
Users should listen for when PeerConnectionState
changes to PeerConnectionStateFailed
. When it enters this state users should not continue using the PeerConnection.
If you have any questions or comments about this advisory:
Thank you to https://github.com/Gaukas for discovering this.
CPE | Name | Operator | Version |
---|---|---|---|
github.com/pion/webrtc/v3 | lt | 3.0.15 |
github.com/advisories/GHSA-74xm-qj29-cq8p
github.com/pion/webrtc/commit/545613dcdeb5dedb01cce94175f40bcbe045df2e
github.com/pion/webrtc/issues/1708
github.com/pion/webrtc/pull/1709
github.com/pion/webrtc/security/advisories/GHSA-74xm-qj29-cq8p
nvd.nist.gov/vuln/detail/CVE-2021-28681
pkg.go.dev/vuln/GO-2021-0104
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
0.001 Low
EPSS
Percentile
38.8%