cve-2021-28681
Vulnerability from cvelistv5
Published
2021-03-18 03:20
Modified
2024-08-03 21:47
Severity ?
Summary
Pion WebRTC before 3.0.15 didn't properly tear down the DTLS Connection when certificate verification failed. The PeerConnectionState was set to failed, but a user could ignore that and continue to use the PeerConnection. )A WebRTC implementation shouldn't allow the user to continue if verification has failed.)
Impacted products
Vendor Product Version
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T21:47:33.209Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/pion/webrtc/issues/1708"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/pion/webrtc/security/advisories/GHSA-74xm-qj29-cq8p"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Pion WebRTC before 3.0.15 didn\u0027t properly tear down the DTLS Connection when certificate verification failed. The PeerConnectionState was set to failed, but a user could ignore that and continue to use the PeerConnection. )A WebRTC implementation shouldn\u0027t allow the user to continue if verification has failed.)"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-03-18T23:28:05",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/pion/webrtc/issues/1708"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/pion/webrtc/security/advisories/GHSA-74xm-qj29-cq8p"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2021-28681",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Pion WebRTC before 3.0.15 didn\u0027t properly tear down the DTLS Connection when certificate verification failed. The PeerConnectionState was set to failed, but a user could ignore that and continue to use the PeerConnection. )A WebRTC implementation shouldn\u0027t allow the user to continue if verification has failed.)"
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/pion/webrtc/issues/1708",
              "refsource": "MISC",
              "url": "https://github.com/pion/webrtc/issues/1708"
            },
            {
              "name": "https://github.com/pion/webrtc/security/advisories/GHSA-74xm-qj29-cq8p",
              "refsource": "MISC",
              "url": "https://github.com/pion/webrtc/security/advisories/GHSA-74xm-qj29-cq8p"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2021-28681",
    "datePublished": "2021-03-18T03:20:06",
    "dateReserved": "2021-03-18T00:00:00",
    "dateUpdated": "2024-08-03T21:47:33.209Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:webrtc_project:webrtc:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"3.0.15\", \"matchCriteriaId\": \"6268E745-4C5D-4103-AD3F-0B16DBA1B1CD\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Pion WebRTC before 3.0.15 didn\u0027t properly tear down the DTLS Connection when certificate verification failed. The PeerConnectionState was set to failed, but a user could ignore that and continue to use the PeerConnection. )A WebRTC implementation shouldn\u0027t allow the user to continue if verification has failed.)\"}, {\"lang\": \"es\", \"value\": \"Pion WebRTC versiones anteriores a 3.0.15, no elimin\\u00f3 apropiadamente la conexi\\u00f3n DTLS cuando fall\\u00f3 una comprobaci\\u00f3n del certificado.\u0026#xa0;El PeerConnectionState se configur\\u00f3 para un fallo, pero un usuario podr\\u00eda ignorarlo y continuar usando PeerConnection.\u0026#xa0;(Una implementaci\\u00f3n de WebRTC no deber\\u00eda permitir al usuario continuar si la comprobaci\\u00f3n ha fallado)\"}]",
      "id": "CVE-2021-28681",
      "lastModified": "2024-11-21T06:00:07.237",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 1.4}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:N/I:P/A:N\", \"baseScore\": 5.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 10.0, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2021-03-18T04:15:14.617",
      "references": "[{\"url\": \"https://github.com/pion/webrtc/issues/1708\", \"source\": \"cve@mitre.org\", \"tags\": [\"Exploit\", \"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/pion/webrtc/security/advisories/GHSA-74xm-qj29-cq8p\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/pion/webrtc/issues/1708\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/pion/webrtc/security/advisories/GHSA-74xm-qj29-cq8p\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
      "sourceIdentifier": "cve@mitre.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-863\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-28681\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2021-03-18T04:15:14.617\",\"lastModified\":\"2024-11-21T06:00:07.237\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Pion WebRTC before 3.0.15 didn\u0027t properly tear down the DTLS Connection when certificate verification failed. The PeerConnectionState was set to failed, but a user could ignore that and continue to use the PeerConnection. )A WebRTC implementation shouldn\u0027t allow the user to continue if verification has failed.)\"},{\"lang\":\"es\",\"value\":\"Pion WebRTC versiones anteriores a 3.0.15, no elimin\u00f3 apropiadamente la conexi\u00f3n DTLS cuando fall\u00f3 una comprobaci\u00f3n del certificado.\u0026#xa0;El PeerConnectionState se configur\u00f3 para un fallo, pero un usuario podr\u00eda ignorarlo y continuar usando PeerConnection.\u0026#xa0;(Una implementaci\u00f3n de WebRTC no deber\u00eda permitir al usuario continuar si la comprobaci\u00f3n ha fallado)\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:N/I:P/A:N\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-863\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:webrtc_project:webrtc:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"3.0.15\",\"matchCriteriaId\":\"6268E745-4C5D-4103-AD3F-0B16DBA1B1CD\"}]}]}],\"references\":[{\"url\":\"https://github.com/pion/webrtc/issues/1708\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/pion/webrtc/security/advisories/GHSA-74xm-qj29-cq8p\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/pion/webrtc/issues/1708\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/pion/webrtc/security/advisories/GHSA-74xm-qj29-cq8p\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.