7.5

CVE-2023-27585

PJSIP is a free and open source multimedia communication library written in C. A buffer overflow vulnerability in versions 2.13 and prior affects applications that use PJSIP DNS resolver. It doesn't affect PJSIP users who do not utilise PJSIP DNS resolver. This vulnerability is related to CVE-2022-24793. The difference is that this issue is in parsing the query record `parse_query()`, while the issue in CVE-2022-24793 is in `parse_rr()`. A patch is available as commit `d1c5e4d` in the `master` branch. A workaround is to disable DNS resolution in PJSIP config (by setting `nameserver_count` to zero) or use an external resolver implementation instead.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
TeluuPjsip Version < 2.13
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 2.33% 0.813
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
security-advisories@github.com 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer.

CWE-122 Heap-based Buffer Overflow

A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html
https://github.com/pjsip/pjproject/security/advisories/GHSA-p6g5-v97c-w5q4
Vendor Advisory
https://github.com/pjsip/pjproject/commit/d1c5e4da5bae7f220bc30719888bb389c905c0c5
Patch
https://github.com/pjsip/pjproject/security/advisories/GHSA-q9cp-8wcq-7pfr
Patch
Vendor Advisory
https://lists.debian.org/debian-lts-announce/2023/04/msg00020.html
https://www.debian.org/security/2023/dsa-5438
https://www.pjsip.org/pjlib-util/docs/html/group__PJ__DNS__RESOLVER.htm
Product
https://lists.debian.org/debian-lts-announce/2024/09/msg00030.html