Vulnerability Details : CVE-2022-24786
PJSIP is a free and open source multimedia communication library written in C. PJSIP versions 2.12 and prior do not parse incoming RTCP feedback RPSI (Reference Picture Selection Indication) packet, but any app that directly uses pjmedia_rtcp_fb_parse_rpsi() will be affected. A patch is available in the `master` branch of the `pjsip/pjproject` GitHub repository. There are currently no known workarounds.
Vulnerability category: Memory Corruption
Products affected by CVE-2022-24786
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:a:pjsip:pjsip:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-24786
0.80%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 82 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-24786
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
GitHub, Inc. |
CWE ids for CVE-2022-24786
-
The product reads data past the end, or before the beginning, of the intended buffer.Assigned by:
- nvd@nist.gov (Secondary)
- security-advisories@github.com (Primary)
-
The product writes data past the end, or before the beginning, of the intended buffer.Assigned by:
- nvd@nist.gov (Secondary)
- security-advisories@github.com (Primary)
References for CVE-2022-24786
-
https://github.com/pjsip/pjproject/commit/11559e49e65bdf00922ad5ae28913ec6a198d508
Merge pull request from GHSA-vhxv-phmx-g52q · pjsip/pjproject@11559e4 · GitHubPatch;Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html
[SECURITY] [DLA 3194-1] asterisk security updateMailing List;Third Party Advisory
-
https://github.com/pjsip/pjproject/security/advisories/GHSA-vhxv-phmx-g52q
Potential out-of-bound read/write when parsing RTCP FB RPSI · Advisory · pjsip/pjproject · GitHubThird Party Advisory
-
https://security.gentoo.org/glsa/202210-37
PJSIP: Multiple Vulnerabilities (GLSA 202210-37) — Gentoo securityThird Party Advisory
-
https://www.debian.org/security/2022/dsa-5285
Debian -- Security Information -- DSA-5285-1 asteriskThird Party Advisory
Jump to