9.1

CVE-2022-21723

Out-of-bounds read in multipart parsing in PJSIP

PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In versions 2.11.1 and prior, parsing an incoming SIP message that contains a malformed multipart can potentially cause out-of-bound read access. This issue affects all PJSIP users that accept SIP multipart. The patch is available as commit in the `master` branch. There are no known workarounds.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
TeluuPjsip Version <= 2.11.1
AsteriskCertified Asterisk Version16.8.0
AsteriskCertified Asterisk Version16.8.0 Updatecert1
AsteriskCertified Asterisk Version16.8.0 Updatecert10
AsteriskCertified Asterisk Version16.8.0 Updatecert11
AsteriskCertified Asterisk Version16.8.0 Updatecert12
AsteriskCertified Asterisk Version16.8.0 Updatecert2
AsteriskCertified Asterisk Version16.8.0 Updatecert3
AsteriskCertified Asterisk Version16.8.0 Updatecert4
AsteriskCertified Asterisk Version16.8.0 Updatecert5
AsteriskCertified Asterisk Version16.8.0 Updatecert6
AsteriskCertified Asterisk Version16.8.0 Updatecert7
AsteriskCertified Asterisk Version16.8.0 Updatecert8
AsteriskCertified Asterisk Version16.8.0 Updatecert9
SangomaAsterisk Version >= 16.0.0 < 16.24.1
SangomaAsterisk Version >= 18.0.0 < 18.10.1
SangomaAsterisk Version >= 19.0.0 < 19.2.1
DebianDebian Linux Version9.0
DebianDebian Linux Version10.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 4.48% 0.902
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.1 3.9 5.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
nvd@nist.gov 6.4 10 4.9
AV:N/AC:L/Au:N/C:P/I:N/A:P
security-advisories@github.com 9.1 3.9 5.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
CWE-125 Out-of-bounds Read

The product reads data past the end, or before the beginning, of the intended buffer.

https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html
Third Party Advisory
Mailing List
https://security.gentoo.org/glsa/202210-37
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html
Third Party Advisory
Mailing List
https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html
https://www.debian.org/security/2022/dsa-5285
Third Party Advisory
http://packetstormsecurity.com/files/166227/Asterisk-Project-Security-Advisory-AST-2022-006.html
Third Party Advisory
VDB Entry
http://seclists.org/fulldisclosure/2022/Mar/2
Patch
Third Party Advisory
Mailing List
https://github.com/pjsip/pjproject/commit/077b465c33f0aec05a49cd2ca456f9a1b112e896
Patch
Third Party Advisory
https://github.com/pjsip/pjproject/security/advisories/GHSA-7fw8-54cv-r7pm
Patch
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/09/msg00030.html