Alpine: multiple pjproject packages: security update to 2.12.1-r0

critical Tenable Self-Hosted Container Security Plugin ID 424350

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- PJSIP is a free and open source multimedia communication library written in C. PJSIP versions 2.12 and
prior do not parse incoming RTCP feedback RPSI (Reference Picture Selection Indication) packet, but any
app that directly uses pjmedia_rtcp_fb_parse_rpsi() will be affected. A patch is available in the `master`
branch of the `pjsip/pjproject` GitHub repository. There are currently no known workarounds.
(CVE-2022-24786)

- PJSIP is a free and open source multimedia communication library written in C language. In versions prior
to and including 2.12 PJSIP there is a stack-buffer overflow vulnerability which only impacts PJSIP users
who accept hashed digest credentials (credentials with data_type `PJSIP_CRED_DATA_DIGEST`). This issue has
been patched in the master branch of the PJSIP repository and will be included with the next release.
Users unable to upgrade need to check that the hashed digest data length must be equal to
`PJSIP_MD5STRLEN` before passing to PJSIP. (CVE-2022-24754)

- PJSIP is a free and open source multimedia communication library written in the C language. Versions 2.12
and prior contain a denial-of-service vulnerability that affects PJSIP users that consume PJSIP's XML
parsing in their apps. Users are advised to update. There are no known workarounds. (CVE-2022-24763)

- PJSIP is a free and open source multimedia communication library written in C. Versions 2.12 and prior
contain a stack buffer overflow vulnerability that affects PJSUA2 users or users that call the API
`pjmedia_sdp_print(), pjmedia_sdp_media_print()`. Applications that do not use PJSUA2 and do not directly
call `pjmedia_sdp_print()` or `pjmedia_sdp_media_print()` should not be affected. A patch is available on
the `master` branch of the `pjsip/pjproject` GitHub repository. There are currently no known workarounds.
(CVE-2022-24764)

See Also

https://security.alpinelinux.org/vuln/CVE-2022-24754

https://security.alpinelinux.org/vuln/CVE-2022-24763

https://security.alpinelinux.org/vuln/CVE-2022-24764

https://security.alpinelinux.org/vuln/CVE-2022-24786

https://security.alpinelinux.org/vuln/CVE-2022-24792

https://security.alpinelinux.org/vuln/CVE-2022-24793

Plugin Details

Severity: Critical

ID: 424350

Version: Revision 1.14

Type: Local

Published: 4/4/2025

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.12

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2022-24786

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 3/11/2022

Reference Information

CVE: CVE-2022-24754, CVE-2022-24763, CVE-2022-24764, CVE-2022-24786, CVE-2022-24792, CVE-2022-24793