VDB
CVE-2022-39269
CVE-2022-39269
PUBLISHED
CVSS 9.100000381469727 CRITICAL
PJSIP is a free and open source multimedia communication library written in C. When processing certain packets, PJSIP may incorrectly switch from using SRTP media transport to using basic RTP upon SRTP restart, causing the media to be sent insecurely. The vulnerability impacts all PJSIP users that use SRTP. The patch is available as commit d2acb9a in the master branch of the project and will be included in version 2.13. Users are advised to manually patch or to upgrade. There are no known workarounds for this vulnerability.
EPSS 0.17% · 37.9th percentile
Risk Scores
CVSS v3.1
9.100000381469727
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score
0.17%
37.9th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| pjsip | pjsip | 2.11 |
| pjsip | pjproject | >= 2.11, < 2.13 |
Timeline
- Oct 6, 2022 CVE Published
- Oct 7, 2022 EPSS Score
- Nov 20, 2022 EPSS Score
- Jan 3, 2023 EPSS Score
- Feb 16, 2023 EPSS Score
- Mar 7, 2023 EPSS Score
- Apr 1, 2023 EPSS Score
- May 16, 2023 EPSS Score
- Jun 29, 2023 EPSS Score
- Aug 12, 2023 EPSS Score
- Sep 25, 2023 EPSS Score
- Nov 8, 2023 EPSS Score
References
- https://github.com/pjsip/pjproject/security/advisories/GHSA-wx5m-cj97-4wwg url
- https://github.com/pjsip/pjproject/commit/d2acb9af4e27b5ba75d658690406cec9c274c5cc url
- GLSA-202210-37 vendor-advisory
- [debian-lts-announce] 20230222 [SECURITY] [DLA 3335-1] asterisk security update mailing-list
- DSA-5358 vendor-advisory