Vulnerability Details : CVE-2023-38703
PJSIP is a free and open source multimedia communication library written in C with high level API in C, C++, Java, C#, and Python languages. SRTP is a higher level media transport which is stacked upon a lower level media transport such as UDP and ICE. Currently a higher level transport is not synchronized with its lower level transport that may introduce use-after-free issue. This vulnerability affects applications that have SRTP capability (`PJMEDIA_HAS_SRTP` is set) and use underlying media transport other than UDP. This vulnerability’s impact may range from unexpected application termination to control flow hijack/memory corruption. The patch is available as a commit in the master branch.
Vulnerability category: Memory Corruption
Products affected by CVE-2023-38703
- cpe:2.3:a:teluu:pjsip:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-38703
0.17%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 54 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-38703
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
GitHub, Inc. |
CWE ids for CVE-2023-38703
-
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.Assigned by: security-advisories@github.com (Primary)
References for CVE-2023-38703
-
https://lists.debian.org/debian-lts-announce/2023/12/msg00019.html
[SECURITY] [DLA 3696-1] asterisk security update
-
https://github.com/pjsip/pjproject/commit/6dc9b8c181aff39845f02b4626e0812820d4ef0d
Merge pull request from GHSA-f76w-fh7c-pc66 · pjsip/pjproject@6dc9b8c · GitHubPatch
-
https://github.com/pjsip/pjproject/security/advisories/GHSA-f76w-fh7c-pc66
Use-after-free in SRTP media transport · Advisory · pjsip/pjproject · GitHubPatch;Vendor Advisory
Jump to