Alpine: multiple pjproject packages: security update to 2.13-r0

critical Tenable Self-Hosted Container Security Plugin ID 424407

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- PJSIP is a free and open source multimedia communication library written in C language implementing
standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In versions prior to and including
2.12.1 a stack buffer overflow vulnerability affects PJSIP users that use STUN in their applications,
either by: setting a STUN server in their account/media config in PJSUA/PJSUA2 level, or directly using
`pjlib-util/stun_simple` API. A patch is available in commit 450baca which should be included in the next
release. There are no known workarounds for this issue. (CVE-2022-31031)

- PJSIP is a free and open source multimedia communication library written in C. In versions of PJSIP prior
to 2.13 the PJSIP parser, PJMEDIA RTP decoder, and PJMEDIA SDP parser are affeced by a buffer overflow
vulnerability. Users connecting to untrusted clients are at risk. This issue has been patched and is
available as commit c4d3498 in the master branch and will be included in releases 2.13 and later. Users
are advised to upgrade. There are no known workarounds for this issue. (CVE-2022-39244)

- PJSIP is a free and open source multimedia communication library written in C. When processing certain
packets, PJSIP may incorrectly switch from using SRTP media transport to using basic RTP upon SRTP
restart, causing the media to be sent insecurely. The vulnerability impacts all PJSIP users that use SRTP.
The patch is available as commit d2acb9a in the master branch of the project and will be included in
version 2.13. Users are advised to manually patch or to upgrade. There are no known workarounds for this
vulnerability. (CVE-2022-39269)

See Also

https://security.alpinelinux.org/vuln/CVE-2022-31031

https://security.alpinelinux.org/vuln/CVE-2022-39244

https://security.alpinelinux.org/vuln/CVE-2022-39269

Plugin Details

Severity: Critical

ID: 424407

Version: Revision 1.14

Type: Local

Published: 4/4/2025

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.12

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2022-31031

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2022-39244

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 6/7/2022

Reference Information

CVE: CVE-2022-31031, CVE-2022-39244, CVE-2022-39269