Ubuntu.comUB:CVE-2021-37706CVE-2021-37706
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
89.6%
PJSIP is a free and open source multimedia communication library written in
C language implementing standard based protocols such as SIP, SDP, RTP,
STUN, TURN, and ICE. In affected versions if the incoming STUN message
contains an ERROR-CODE attribute, the header length is not checked before
performing a subtraction operation, potentially resulting in an integer
underflow scenario. This issue affects all users that use STUN. A malicious
actor located within the victimβs network may forge and send a specially
crafted UDP (STUN) message that could remotely execute arbitrary code on
the victimβs machine. Users are advised to upgrade as soon as possible.
There are no known workarounds.
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| ubuntu | 18.04 | noarch | pjproject | <Β any | UNKNOWN |
| ubuntu | 16.04 | noarch | pjproject | <Β any | UNKNOWN |
| ubuntu | 18.04 | noarch | ring | <Β 20180228.1.503da2b~ds1-1ubuntu0.1~esm1 | UNKNOWN |
| ubuntu | 20.04 | noarch | ring | <Β 20190215.1.f152c98~ds1-1+deb10u2build0.20.04.1 | UNKNOWN |
| ubuntu | 23.04 | noarch | ring | <Β 20230206.0~ds1-5ubuntu0.1 | UNKNOWN |
| ubuntu | 23.10 | noarch | ring | <Β 20230206.0~ds2-1.3ubuntu0.1 | UNKNOWN |
References
github.com/pjsip/pjproject/commit/15663e3f37091069b8c98a7fce680dc04bc8e865
github.com/pjsip/pjproject/security/advisories/GHSA-2qpg-f6wf-w984
launchpad.net/bugs/cve/CVE-2021-37706
nvd.nist.gov/vuln/detail/CVE-2021-37706
security-tracker.debian.org/tracker/CVE-2021-37706
ubuntu.com/security/notices/USN-6422-1
ubuntu.com/security/notices/USN-6422-2
www.cve.org/CVERecord?id=CVE-2021-37706
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
89.6%