Potential stack buffer overflow when parsing message as a STUN client
CVE-2022-31031

9.8CRITICAL

Key Information:

Vendor: Pjsip
Status: Pjproject
Vendor: CVE Published:; 9 June 2022

What is CVE-2022-31031?

PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In versions prior to and including 2.12.1 a stack buffer overflow vulnerability affects PJSIP users that use STUN in their applications, either by: setting a STUN server in their account/media config in PJSUA/PJSUA2 level, or directly using pjlib-util/stun_simple API. A patch is available in commit 450baca which should be included in the next release. There are no known workarounds for this issue.

Affected Version(s)

pjproject <= 2.12.1

References

https://github.com/pjsip/pjproject/security/advisories/GH...

https://github.com/pjsip/pjproject/commit/450baca94f47534...

https://security.gentoo.org/glsa/202210-37

vendor-advisory

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 9, 2022
Vulnerability Reserved
May 18, 2022

CVE-2022-31031 Data

JSON

Pjsip

What is CVE-2022-31031?

Affected Version(s)

References

CVSS V3.1

Timeline