CVE-2023-27585

EPSS 0.39%
Veröffentlicht 14.03.2023 17:15:19
Zuletzt bearbeitet 21.11.2024 07:53:12
Quelle security-advisories@github.com
Teams Watchlist Login
Unerledigt Login

PJSIP is a free and open source multimedia communication library written in C. A buffer overflow vulnerability in versions 2.13 and prior affects applications that use PJSIP DNS resolver. It doesn't affect PJSIP users who do not utilise PJSIP DNS resolver. This vulnerability is related to CVE-2022-24793. The difference is that this issue is in parsing the query record `parse_query()`, while the issue in CVE-2022-24793 is in `parse_rr()`. A patch is available as commit `d1c5e4d` in the `master` branch. A workaround is to disable DNS resolution in PJSIP config (by setting `nameserver_count` to zero) or use an external resolver implementation instead.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 10

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Teluu ≫ Pjsip Version < 2.13

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.39%	0.595

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
security-advisories@github.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.

CWE-122 Heap-based Buffer Overflow

A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html

https://github.com/pjsip/pjproject/security/advisories/GHSA-p6g5-v97c-w5q4

Vendor Advisory

https://github.com/pjsip/pjproject/commit/d1c5e4da5bae7f220bc30719888bb389c905c0c5

Patch

https://github.com/pjsip/pjproject/security/advisories/GHSA-q9cp-8wcq-7pfr

Patch

Vendor Advisory

https://lists.debian.org/debian-lts-announce/2023/04/msg00020.html

https://www.debian.org/security/2023/dsa-5438

https://www.pjsip.org/pjlib-util/docs/html/group__PJ__DNS__RESOLVER.htm

Product

https://nvd.nist.gov/vuln/detail/CVE-2023-27585

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-27585

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-27585

EUVD