CVE-2021-21375 : PJSIP is a free and open source multimedia communication library written in C la

PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In PJSIP version 2.10 and earlier, after an initial INVITE has been sent, when two 183 responses are received, with the first one causing negotiation failure, a crash will occur. This results in a denial of service.

Published 2021-03-10 23:15:13

Updated 2022-10-21 22:40:21

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: Denial of service

Products affected by CVE-2021-21375

Debian » Debian Linux » Version: 9.0
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Matching versions
Teluu » Pjsip
Versions up to, including, (<=) 2.10
cpe:2.3:a:teluu:pjsip:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2021-21375

EPSS FAQ

0.39%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 57 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-21375

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:N/I:N/A:P	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial
6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H	2.8	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: None Integrity: None Availability: High
6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H	2.8	3.6	GitHub, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2021-21375

CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource.

Assigned by: security-advisories@github.com (Secondary)
CWE-754 Improper Check for Unusual or Exceptional Conditions

The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2021-21375

https://github.com/pjsip/pjproject/commit/97b3d7addbaa720b7ddb0af9bf6f3e443e664365

Merge pull request from GHSA-hvq6-f89p-frvp · pjsip/pjproject@97b3d7a · GitHub
Patch;Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/05/msg00020.html

[SECURITY] [DLA 2665-1] ring security update
Mailing List;Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/04/msg00023.html

[SECURITY] [DLA 2636-1] pjproject security update
Mailing List;Third Party Advisory
https://security.gentoo.org/glsa/202107-42

PJSIP: Multiple vulnerabilities (GLSA 202107-42) — Gentoo security
Third Party Advisory

CVEs referencing this url
https://github.com/pjsip/pjproject/security/advisories/GHSA-hvq6-f89p-frvp

Crash in receiving updated SDP answer after initial SDP negotiation failed · Advisory · pjsip/pjproject · GitHub
Exploit;Patch;Third Party Advisory

Jump to

Vulnerability Details : CVE-2021-21375

Products affected by CVE-2021-21375

Exploit prediction scoring system (EPSS) score for CVE-2021-21375

CVSS scores for CVE-2021-21375

CWE ids for CVE-2021-21375

References for CVE-2021-21375