CVE-2022-21723 - OpenCVE

PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In versions 2.11.1 and prior, parsing an incoming SIP message that contains a malformed multipart can potentially cause out-of-bound read access. This issue affects all PJSIP users that accept SIP multipart. The patch is available as commit in the `master` branch. There are no known workarounds.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Asterisk	Certified Asterisk
Debian	Debian Linux
Sangoma	Asterisk
Teluu	Pjsip

Configuration 1 [-]

cpe:2.3:a:teluu:pjsip:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:a:asterisk:certified_asterisk:16.8.0:::::::*
	cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert1::::::
	cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert10::::::
	cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert11::::::
	cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert12::::::
	cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert2::::::
	cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert3::::::
	cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert4::::::
	cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert5::::::
	cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert6::::::
	cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert7::::::
	cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert8::::::
	cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert9::::::
	cpe:2.3:a:sangoma:asterisk::::::::
	cpe:2.3:a:sangoma:asterisk::::::::
	cpe:2.3:a:sangoma:asterisk::::::::

Configuration 3 [-]

OR	cpe:2.3:o:debian:debian_linux:9.0:::::::*
	cpe:2.3:o:debian:debian_linux:10.0:::::::*

No data.

References

Link	Providers
http://packetstormsecurity.com/files/166227/Asterisk-Project-Security-Advisory-AST-2022-006.html
http://seclists.org/fulldisclosure/2022/Mar/2
https://github.com/pjsip/pjproject/commit/077b465c33f0aec05a49cd2ca456f9a1b112e896
https://github.com/pjsip/pjproject/security/advisories/GHSA-7fw8-54cv-r7pm
https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html
https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html
https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html
https://security.gentoo.org/glsa/202210-37
https://www.debian.org/security/2022/dsa-5285

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-01-27T00:00:00

Updated: 2024-08-03T02:53:35.431Z

Reserved: 2021-11-16T00:00:00

Link: CVE-2022-21723

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-01-27T00:15:07.737

Modified: 2023-08-30T01:15:30.153

Link: CVE-2022-21723

Redhat

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact Partial

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact Partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object