Lucene search

[email protected]NVD:CVE-2023-27596

HistoryMar 15, 2023 - 9:15 p.m.

CVE-2023-27596

2023-03-1521:15:08

CWE-770

[email protected]

web.nvd.nist.gov

opensips

sip server

crashes

malformed sdp

vulnerability

attacker

server

fix

version 3.1.8

version 3.2.5

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

38.4%

JSON

OpenSIPS is a Session Initiation Protocol (SIP) server implementation. Prior to versions 3.1.8 and 3.2.5, OpenSIPS crashes when a malformed SDP body is sent multiple times to an OpenSIPS configuration that makes use of the stream_process function. This issue was discovered during coverage guided fuzzing of the function codec_delete_except_re. By abusing this vulnerability, an attacker is able to crash the server. It affects configurations containing functions that rely on the affected code, such as the function codec_delete_except_re. This issue has been fixed in version 3.1.8 and 3.2.5.

Affected configurations

Nvd

Node

opensipsopensipsRange<3.1.8

opensipsopensipsRange3.2.0–3.2.5

VendorProductVersionCPE
opensipsopensips*cpe:2.3:a:opensips:opensips:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
opensips	opensips	*	cpe:2.3:a:opensips:opensips::::::::

References

github.com/OpenSIPS/opensips/commit/dd051f8ed5ae3347fb1d556ced3c97822c9d8450

github.com/OpenSIPS/opensips/security/advisories/GHSA-3ghx-j39m-cw4f

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

38.4%

JSON

Related for NVD:CVE-2023-27596

osv1 cve1 ubuntucve1 prion1 cvelist1