CVE-2022-29189
Unbounded memory consumption in github.com/pion/dtls/v2
5.3
MEDIUM
CVSS 3.1
EPSS 1.2%
Description
Pion DTLS is a Go implementation of Datagram Transport Layer Security. Prior to version 2.1.4, a buffer that was used for inbound network traffic had no upper limit. Pion DTLS would buffer all network traffic from the remote user until the handshake completes or timed out. An attacker could exploit this to cause excessive memory usage. Version 2.1.4 contains a patch for this issue. There are currently no known workarounds available.
How to fix CVE-2022-29189
To remediate CVE-2022-29189, upgrade the affected package to a fixed version below.
- —upgrade to 2.2.0-1 or later
- —upgrade to 2.1.4 or later
- —upgrade to 2.1.4 or later
- —upgrade to 2.1.4 or later
Is CVE-2022-29189 being exploited?
Low — EPSS is 1.2%, meaning exploitation activity has not been observed at scale.
Affected packages (4)
- from 0, < 2.2.0-1
- from 0, < 2.1.4
- from 0, < 2.1.4
- from 0, < 2.1.4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |