7.5

CVE-2021-43804

Out-of-bounds read when parsing RTCP BYE message in PJSIP

PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In affected versions if the incoming RTCP BYE message contains a reason's length, this declared length is not checked against the actual received packet size, potentially resulting in an out-of-bound read access. This issue affects all users that use PJMEDIA and RTCP. A malicious actor can send a RTCP BYE message with an invalid reason length. Users are advised to upgrade as soon as possible. There are no known workarounds.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
TeluuPjsip Version <= 2.11.1
DebianDebian Linux Version9.0
DebianDebian Linux Version10.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 2.19% 0.801
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.3 3.9 3.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
nvd@nist.gov 7.5 10 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:P
security-advisories@github.com 7.3 3.9 3.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE-125 Out-of-bounds Read

The product reads data past the end, or before the beginning, of the intended buffer.

https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html
Third Party Advisory
Mailing List
https://security.gentoo.org/glsa/202210-37
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html
Third Party Advisory
Mailing List
https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html
https://www.debian.org/security/2022/dsa-5285
Third Party Advisory
https://github.com/pjsip/pjproject/commit/8b621f192cae14456ee0b0ade52ce6c6f258af1e
Patch
Third Party Advisory
https://github.com/pjsip/pjproject/security/advisories/GHSA-3qx3-cg72-wrh9
Patch
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/09/msg00030.html