GitHub_MCVELIST:CVE-2022-24792CVE-2022-24792 Potential infinite loop when parsing WAV format file in PJSIP
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
61.9%
PJSIP is a free and open source multimedia communication library written in C. A denial-of-service vulnerability affects applications on a 32-bit systems that use PJSIP versions 2.12 and prior to play/read invalid WAV files. The vulnerability occurs when reading WAV file data chunks with length greater than 31-bit integers. The vulnerability does not affect 64-bit apps and should not affect apps that only plays trusted WAV files. A patch is available on the master branch of the pjsip/project GitHub repository. As a workaround, apps can reject a WAV file received from an unknown source or validate the file first.
CNA Affected
[
{
"vendor": "pjsip",
"product": "pjproject",
"versions": [
{
"version": "<= 2.12",
"status": "affected"
}
]
}
]References
github.com/pjsip/pjproject/commit/947bc1ee6d05be10204b918df75a503415fd3213
github.com/pjsip/pjproject/security/advisories/GHSA-rwgw-vwxg-q799
lists.debian.org/debian-lts-announce/2022/05/msg00047.html
lists.debian.org/debian-lts-announce/2022/11/msg00021.html
security.gentoo.org/glsa/202210-37
www.debian.org/security/2022/dsa-5285
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
61.9%