PJSIP has use-after-free vulnerability in SRTP media transport
CVE-2023-38703

9.8CRITICAL

Key Information:

Vendor

Pjsip

Status
Pjproject
Vendor
CVE Published:
6 October 2023

What is CVE-2023-38703?

The PJSIP multimedia communication library has revealed a vulnerability related to the synchronization between its higher-level SRTP transport and lower-level media transports, which may lead to a use-after-free condition. This issue primarily affects applications leveraging SRTP capabilities that do not utilize UDP as their underlying transport. Exploitation of this vulnerability could result in unexpected application termination or potentially allow for control flow hijacking and memory corruption. Developers are urged to review the available patch and update their implementations accordingly.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

pjproject <= 2.13.1

References

https://github.com/pjsip/pjproject/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/pjsip/pjproject/commit/6dc9b8c181aff39...
x_refsource_MISC
https://lists.debian.org/debian-lts-announce/2023/12/msg0...

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.