CVE-2022-21722

critical

Description

PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In version 2.11.1 and prior, there are various cases where it is possible that certain incoming RTP/RTCP packets can potentially cause out-of-bound read access. This issue affects all users that use PJMEDIA and accept incoming RTP/RTCP. A patch is available as a commit in the `master` branch. There are no known workarounds.

References

https://github.com/pjsip/pjproject/security/advisories/GHSA-m66q-q64c-hv36

https://github.com/pjsip/pjproject/commit/22af44e68a0c7d190ac1e25075e1382f77e9397a

https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html

https://security.gentoo.org/glsa/202210-37

https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html

https://www.debian.org/security/2022/dsa-5285

Details

Source: MITRE

Published: 2022-01-27

Updated: 2023-02-02

Type: CWE-125

Risk Information

CVSS v2

Base Score: 6.4

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:P

Impact Score: 4.9

Exploitability Score: 10

Severity: MEDIUM

CVSS v3

Base Score: 9.1

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Impact Score: 5.2

Exploitability Score: 3.9

Severity: CRITICAL