Description
There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:
- PJSIP is a free and open source multimedia communication library written in C. PJSIP versions 2.12 and
prior do not parse incoming RTCP feedback RPSI (Reference Picture Selection Indication) packet, but any
app that directly uses pjmedia_rtcp_fb_parse_rpsi() will be affected. A patch is available in the `master`
branch of the `pjsip/pjproject` GitHub repository. There are currently no known workarounds.
(CVE-2022-24786)
- PJSIP is a free and open source multimedia communication library written in C language. In versions prior
to and including 2.12 PJSIP there is a stack-buffer overflow vulnerability which only impacts PJSIP users
who accept hashed digest credentials (credentials with data_type `PJSIP_CRED_DATA_DIGEST`). This issue has
been patched in the master branch of the PJSIP repository and will be included with the next release.
Users unable to upgrade need to check that the hashed digest data length must be equal to
`PJSIP_MD5STRLEN` before passing to PJSIP. (CVE-2022-24754)
- PJSIP is a free and open source multimedia communication library written in the C language. Versions 2.12
and prior contain a denial-of-service vulnerability that affects PJSIP users that consume PJSIP's XML
parsing in their apps. Users are advised to update. There are no known workarounds. (CVE-2022-24763)
- PJSIP is a free and open source multimedia communication library written in C. Versions 2.12 and prior
contain a stack buffer overflow vulnerability that affects PJSUA2 users or users that call the API
`pjmedia_sdp_print(), pjmedia_sdp_media_print()`. Applications that do not use PJSUA2 and do not directly
call `pjmedia_sdp_print()` or `pjmedia_sdp_media_print()` should not be affected. A patch is available on
the `master` branch of the `pjsip/pjproject` GitHub repository. There are currently no known workarounds.
(CVE-2022-24764)
Plugin Details
Supported Sensors: Agentless Assessment
Risk Information
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
Exploit Ease: No known exploits are available
Vulnerability Publication Date: 3/11/2022