Out-of-bounds read when parsing RTCP BYE message in PJSIP
CVE-2021-43804

7.3HIGH

Key Information:

Vendor: Pjsip
Status: Pjproject
Vendor: CVE Published:; 22 December 2021

What is CVE-2021-43804?

PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In affected versions if the incoming RTCP BYE message contains a reason's length, this declared length is not checked against the actual received packet size, potentially resulting in an out-of-bound read access. This issue affects all users that use PJMEDIA and RTCP. A malicious actor can send a RTCP BYE message with an invalid reason length. Users are advised to upgrade as soon as possible. There are no known workarounds.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

pjproject <= 2.11.1

References

https://github.com/pjsip/pjproject/security/advisories/GH...

https://github.com/pjsip/pjproject/commit/8b621f192cae144...

https://lists.debian.org/debian-lts-announce/2022/03/msg0...

mailing-list

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 22, 2021
Vulnerability Reserved
Nov 16, 2021

JSON

Pjsip