Description

PJSIP is a free and open source multimedia communication library written in C language. In versions prior to and including 2.12 PJSIP there is a stack-buffer overflow vulnerability which only impacts PJSIP users who accept hashed digest credentials (credentials with data_type `PJSIP_CRED_DATA_DIGEST`). This issue has been patched in the master branch of the PJSIP repository and will be included with the next release. Users unable to upgrade need to check that the hashed digest data length must be equal to `PJSIP_MD5STRLEN` before passing to PJSIP.

Related CPE's

a

teluu

pjsip

Vulnerable

o

debian

debian_linux

9.0

Vulnerable

References

https://github.com/pjsip/pjproject/commit/d27f79da11df7bc8bb56c2f291d71e54df8d2c47

PatchThird Party Advisory

https://github.com/pjsip/pjproject/security/advisories/GHSA-73f7-48m9-w662

PatchThird Party Advisory

https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html

Mailing ListThird Party Advisory

https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html

https://security.gentoo.org/glsa/202210-37

Third Party Advisory

Weaknesses

[email protected]

Primary
CWE-120

[email protected]

Secondary
CWE-1284

CVSS impact metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.8 · Critical

  • CVSS V3.1

  • CVSS V3.0

  • CVSS V2.0

Information

Source identifier

[email protected]

Vulnerability status

Modified

Published

2022-03-11T20:15:08.873

3 years ago

Last modified

2023-08-30T01:15:35.427

1 year ago