Lucene search

GoogleOSV:CVE-2023-28095

HistoryMar 15, 2023 - 10:15 p.m.

CVE-2023-28095

2023-03-1522:15:10

Google

osv.dev

opensips

sip server

potential issue

msg_translator.c

server crash

denial of service

software

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

6.9

Confidence

Low

EPSS

0.001

Percentile

40.4%

JSON

OpenSIPS is a Session Initiation Protocol (SIP) server implementation. Versions prior to 3.1.7 and 3.2.4 have a potential issue in msg_translator.c:2628 which might lead to a server crash. This issue was found while fuzzing the function build_res_buf_from_sip_req but could not be reproduced against a running instance of OpenSIPS. This issue could not be exploited against a running instance of OpenSIPS since no public function was found to make use of this vulnerable code. Even in the case of exploitation through unknown vectors, it is highly unlikely that this issue would lead to anything other than Denial of Service. This issue has been fixed in versions 3.1.7 and 3.2.4.

References

github.com/OpenSIPS/opensips/commit/9cf3dd3398719dd91207495f76d7726701c5145c

github.com/OpenSIPS/opensips/security/advisories/GHSA-7pf3-24qg-8v9h

opensips.org/pub/audit-2022/opensips-audit-technical-report-full.pdf

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

6.9

Confidence

Low

EPSS

0.001

Percentile

40.4%

JSON

Related for OSV:CVE-2023-28095