7.5
CVE-2021-43804
- EPSS 2.19%
- Veröffentlicht 22.12.2021 18:15:07
- Zuletzt bearbeitet 04.11.2025 16:15:45
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Out-of-bounds read when parsing RTCP BYE message in PJSIP
PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In affected versions if the incoming RTCP BYE message contains a reason's length, this declared length is not checked against the actual received packet size, potentially resulting in an out-of-bound read access. This issue affects all users that use PJMEDIA and RTCP. A malicious actor can send a RTCP BYE message with an invalid reason length. Users are advised to upgrade as soon as possible. There are no known workarounds.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 2.19% | 0.801 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.3 | 3.9 | 3.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
|
| nvd@nist.gov | 7.5 | 10 | 6.4 |
AV:N/AC:L/Au:N/C:P/I:P/A:P
|
| security-advisories@github.com | 7.3 | 3.9 | 3.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
|
CWE-125 Out-of-bounds Read
The product reads data past the end, or before the beginning, of the intended buffer.
https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html
https://security.gentoo.org/glsa/202210-37
https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html
https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html
https://www.debian.org/security/2022/dsa-5285
https://github.com/pjsip/pjproject/commit/8b621f192cae14456ee0b0ade52ce6c6f258af1e
https://github.com/pjsip/pjproject/security/advisories/GHSA-3qx3-cg72-wrh9
https://lists.debian.org/debian-lts-announce/2024/09/msg00030.html