Alpine: pjproject: security update to 2.13.1-r0

high Tenable Cloud Security Plugin ID 408012

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- PJSIP is a free and open source multimedia communication library written in C. A buffer overflow
vulnerability in versions 2.13 and prior affects applications that use PJSIP DNS resolver. It doesn't
affect PJSIP users who do not utilise PJSIP DNS resolver. This vulnerability is related to CVE-2022-24793.
The difference is that this issue is in parsing the query record `parse_query()`, while the issue in
CVE-2022-24793 is in `parse_rr()`. A patch is available as commit `d1c5e4d` in the `master` branch. A
workaround is to disable DNS resolution in PJSIP config (by setting `nameserver_count` to zero) or use an
external resolver implementation instead. (CVE-2023-27585)

See Also

https://security.alpinelinux.org/vuln/CVE-2023-27585

Plugin Details

Severity: High

ID: 408012

Version: Revision 1.30

Type: Local

Published: 11/9/2023

Updated: 12/19/2025

Supported Sensors: Agentless Assessment

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.18

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2023-27585

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 3/14/2023

Reference Information

CVE: CVE-2023-27585