Vulnerability Details : CVE-2022-21722
PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In version 2.11.1 and prior, there are various cases where it is possible that certain incoming RTP/RTCP packets can potentially cause out-of-bound read access. This issue affects all users that use PJMEDIA and accept incoming RTP/RTCP. A patch is available as a commit in the `master` branch. There are no known workarounds.
Products affected by CVE-2022-21722
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:a:teluu:pjsip:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-21722
0.29%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 69 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-21722
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.4
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:P |
10.0
|
4.9
|
NIST | |
9.1
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H |
3.9
|
5.2
|
NIST | |
9.1
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H |
3.9
|
5.2
|
GitHub, Inc. |
CWE ids for CVE-2022-21722
-
The product reads data past the end, or before the beginning, of the intended buffer.Assigned by:
- nvd@nist.gov (Secondary)
- security-advisories@github.com (Primary)
References for CVE-2022-21722
-
https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html
[SECURITY] [DLA 3549-1] ring security update
-
https://github.com/pjsip/pjproject/commit/22af44e68a0c7d190ac1e25075e1382f77e9397a
Merge pull request from GHSA-m66q-q64c-hv36 · pjsip/pjproject@22af44e · GitHubPatch;Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html
[SECURITY] [DLA 3194-1] asterisk security updateMailing List;Third Party Advisory
-
https://github.com/pjsip/pjproject/security/advisories/GHSA-m66q-q64c-hv36
Potential out-of-bound read during RTP/RTCP parsing · Advisory · pjsip/pjproject · GitHubPatch;Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html
[SECURITY] [DLA 2962-1] pjproject security updateMailing List;Third Party Advisory
-
https://security.gentoo.org/glsa/202210-37
PJSIP: Multiple Vulnerabilities (GLSA 202210-37) — Gentoo securityThird Party Advisory
-
https://www.debian.org/security/2022/dsa-5285
Debian -- Security Information -- DSA-5285-1 asteriskThird Party Advisory
Jump to