VDB
CVE-2022-24793
CVE-2022-24793
PUBLISHED
CVSS 7.5 HIGH
PJSIP is a free and open source multimedia communication library written in C. A buffer overflow vulnerability in versions 2.12 and prior affects applications that use PJSIP DNS resolution. It doesn't affect PJSIP users who utilize an external resolver. This vulnerability is related to CVE-2023-27585. The difference is that this issue is in parsing the query record `parse_rr()`, while the issue in CVE-2023-27585 is in `parse_query()`. A patch is available in the `master` branch of the `pjsip/pjproject` GitHub repository. A workaround is to disable DNS resolution in PJSIP config (by setting `nameserver_count` to zero) or use an external resolver instead.
EPSS 0.47% · 65.0th percentile
Risk Scores
CVSS v3.1
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score
0.47%
65.0th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| pjsip | pjsip | 0 |
| debian | debian_linux | 9.0, 10.0, 11.0 |
| pjsip | pjproject | <= 2.12 |
Timeline
- Apr 6, 2022 CVE Published
- Apr 9, 2022 EPSS Score
- May 29, 2022 EPSS Score
- Jul 20, 2022 EPSS Score
- Sep 8, 2022 EPSS Score
- Dec 18, 2022 EPSS Score
- Feb 6, 2023 EPSS Score
- Mar 7, 2023 EPSS Score
- Mar 28, 2023 EPSS Score
- May 17, 2023 EPSS Score
- Jul 7, 2023 EPSS Score
- Aug 26, 2023 EPSS Score
References
- https://github.com/pjsip/pjproject/security/advisories/GHSA-p6g5-v97c-w5q4 url
- https://github.com/pjsip/pjproject/commit/9fae8f43accef8ea65d4a8ae9cdf297c46cfe29a url
- [debian-lts-announce] 20220531 [SECURITY] [DLA 3036-1] pjproject security update mailing-list
- GLSA-202210-37 vendor-advisory
- [debian-lts-announce] 20221117 [SECURITY] [DLA 3194-1] asterisk security update mailing-list
- DSA-5285 vendor-advisory
- [debian-lts-announce] 20230829 [SECURITY] [DLA 3549-1] ring security update mailing-list
- https://lists.debian.org/debian-lts-announce/2024/09/msg00030.html url