PJSIP has use-after-free vulnerability in SRTP media transport
CVE-2023-38703

9.8CRITICAL

Key Information:

Vendor: Pjsip
Status: Pjproject
Vendor: CVE Published:; 6 October 2023

What is CVE-2023-38703?

The PJSIP multimedia communication library has revealed a vulnerability related to the synchronization between its higher-level SRTP transport and lower-level media transports, which may lead to a use-after-free condition. This issue primarily affects applications leveraging SRTP capabilities that do not utilize UDP as their underlying transport. Exploitation of this vulnerability could result in unexpected application termination or potentially allow for control flow hijacking and memory corruption. Developers are urged to review the available patch and update their implementations accordingly.

Affected Version(s)

pjproject <= 2.13.1

References

https://github.com/pjsip/pjproject/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/pjsip/pjproject/commit/6dc9b8c181aff39...

x_refsource_MISC

https://lists.debian.org/debian-lts-announce/2023/12/msg0...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 6, 2023
Vulnerability Reserved
Jul 24, 2023

CVE-2023-38703 Data

JSON

Pjsip

What is CVE-2023-38703?

Affected Version(s)

References

CVSS V3.1

Timeline