Alpine: multiple pjproject packages: security update to 2.12-r0

critical Tenable Cloud Security Plugin ID 424347

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- PJSIP is a free and open source multimedia communication library written in C language implementing
standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In affected versions if the incoming
STUN message contains an ERROR-CODE attribute, the header length is not checked before performing a
subtraction operation, potentially resulting in an integer underflow scenario. This issue affects all
users that use STUN. A malicious actor located within the victim’s network may forge and send a specially
crafted UDP (STUN) message that could remotely execute arbitrary code on the victim’s machine. Users are
advised to upgrade as soon as possible. There are no known workarounds. (CVE-2021-37706)

- PJSIP is a free and open source multimedia communication library written in the C language implementing
standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In various parts of PJSIP, when
error/failure occurs, it is found that the function returns without releasing the currently held locks.
This could result in a system deadlock, which cause a denial of service for the users. No release has yet
been made which contains the linked fix commit. All versions up to an including 2.11.1 are affected. Users
may need to manually apply the patch. (CVE-2021-41141)

- Stack overflow in PJSUA API when calling pjsua_player_create. An attacker-controlled 'filename' argument
may cause a buffer overflow since it is copied to a fixed-size stack buffer without any size validation.
(CVE-2021-43299)

- Stack overflow in PJSUA API when calling pjsua_recorder_create. An attacker-controlled 'filename' argument
may cause a buffer overflow since it is copied to a fixed-size stack buffer without any size validation.
(CVE-2021-43300)

See Also

https://security.alpinelinux.org/vuln/CVE-2021-37706

https://security.alpinelinux.org/vuln/CVE-2021-41141

https://security.alpinelinux.org/vuln/CVE-2021-43299

https://security.alpinelinux.org/vuln/CVE-2021-43300

https://security.alpinelinux.org/vuln/CVE-2021-43301

https://security.alpinelinux.org/vuln/CVE-2021-43302

https://security.alpinelinux.org/vuln/CVE-2021-43303

https://security.alpinelinux.org/vuln/CVE-2021-43804

https://security.alpinelinux.org/vuln/CVE-2021-43845

https://security.alpinelinux.org/vuln/CVE-2022-21722

https://security.alpinelinux.org/vuln/CVE-2022-21723

https://security.alpinelinux.org/vuln/CVE-2022-23608

Plugin Details

Severity: Critical

ID: 424347

Version: Revision 1.9

Type: Local

Published: 4/4/2025

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.12

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 7.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2021-37706

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2022-23608

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 12/22/2021

Reference Information

CVE: CVE-2021-37706, CVE-2021-41141, CVE-2021-43299, CVE-2021-43300, CVE-2021-43301, CVE-2021-43302, CVE-2021-43303, CVE-2021-43804, CVE-2021-43845, CVE-2022-21722, CVE-2022-21723, CVE-2022-23608