CVE-2022-23537

2022-12-2019:15:24

Debian Security Bug Tracker

security-tracker.debian.org

pjsip

multimedia communication library

sip

sdp

rtp

stun

turn

ice

vulnerability

buffer overread

remote code execution

patch

commit

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.002

Percentile

57.2%

JSON

PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. Buffer overread is possible when parsing a specially crafted STUN message with unknown attribute. The vulnerability affects applications that uses STUN including PJNATH and PJSUA-LIB. The patch is available as a commit in the master branch (2.13.1).

OSVersionArchitecturePackageVersionFilename
Debian11allasterisk< 1:16.28.0~dfsg-0+deb11u2asterisk_1:16.28.0~dfsg-0+deb11u2_all.deb
Debian999allasterisk< 1:20.4.0~dfsg+~cs6.13.40431414-1asterisk_1:20.4.0~dfsg+~cs6.13.40431414-1_all.deb
Debian12allring< 20230206.0~ds1-1ring_20230206.0~ds1-1_all.deb
Debian11allring< 20210112.2.b757bac~ds1-1+deb11u1ring_20210112.2.b757bac~ds1-1+deb11u1_all.deb
Debian999allring< 20230206.0~ds1-1ring_20230206.0~ds1-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	11	all	asterisk	< 1:16.28.0~dfsg-0+deb11u2	asterisk_1:16.28.0~dfsg-0+deb11u2_all.deb
Debian	999	all	asterisk	< 1:20.4.0~dfsg+~cs6.13.40431414-1	asterisk_1:20.4.0~dfsg+~cs6.13.40431414-1_all.deb
Debian	12	all	ring	< 20230206.0~ds1-1	ring_20230206.0~ds1-1_all.deb
Debian	11	all	ring	< 20210112.2.b757bac~ds1-1+deb11u1	ring_20210112.2.b757bac~ds1-1+deb11u1_all.deb
Debian	999	all	ring	< 20230206.0~ds1-1	ring_20230206.0~ds1-1_all.deb