VDB
CVE-2022-24754
CVE-2022-24754
PUBLISHED
CVSS 8.5 HIGH
PJSIP is a free and open source multimedia communication library written in C language. In versions prior to and including 2.12 PJSIP there is a stack-buffer overflow vulnerability which only impacts PJSIP users who accept hashed digest credentials (credentials with data_type `PJSIP_CRED_DATA_DIGEST`). This issue has been patched in the master branch of the PJSIP repository and will be included with the next release. Users unable to upgrade need to check that the hashed digest data length must be equal to `PJSIP_MD5STRLEN` before passing to PJSIP.
EPSS 0.55% · 68.3th percentile
Risk Scores
CVSS v3.1
8.5
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score
0.55%
68.3th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| debian | debian_linux | 9.0 |
| teluu | pjsip | 0 |
| pjsip | pjproject | <= 2.12 |
Timeline
- Mar 11, 2022 CVE Published
- Mar 12, 2022 EPSS Score
- May 2, 2022 EPSS Score
- Jun 23, 2022 EPSS Score
- Oct 4, 2022 EPSS Score
- Nov 24, 2022 EPSS Score
- Jan 15, 2023 EPSS Score
- Mar 7, 2023 EPSS Score
- Apr 27, 2023 EPSS Score
- Jun 17, 2023 EPSS Score
- Sep 28, 2023 EPSS Score
- Nov 18, 2023 EPSS Score
References
- https://github.com/pjsip/pjproject/security/advisories/GHSA-73f7-48m9-w662 url
- https://github.com/pjsip/pjproject/commit/d27f79da11df7bc8bb56c2f291d71e54df8d2c47 url
- [debian-lts-announce] 20220328 [SECURITY] [DLA 2962-1] pjproject security update mailing-list
- GLSA-202210-37 vendor-advisory
- [debian-lts-announce] 20230829 [SECURITY] [DLA 3549-1] ring security update mailing-list
- https://lists.debian.org/debian-lts-announce/2024/09/msg00030.html url