Heap buffer overflow in pjproject when decoding STUN message
CVE-2022-23547

6.5MEDIUM

Key Information:

Vendor

Pjsip

Status
Pjproject
Vendor
CVE Published:
23 December 2022

What is CVE-2022-23547?

PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. This issue is similar to GHSA-9pfh-r8x4-w26w. Possible buffer overread when parsing a certain STUN message. The vulnerability affects applications that uses STUN including PJNATH and PJSUA-LIB. The patch is available as commit in the master branch.

Affected Version(s)

pjproject <= 2.13

References

https://github.com/pjsip/pjproject/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/pjsip/pjproject/security/advisories/GH...
x_refsource_MISC
https://github.com/pjsip/pjproject/commit/bc4812d31a67d5e...
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.