VDB
CVE-2023-27585
CVE-2023-27585
PUBLISHED
CVSS 7.5 HIGH
PJSIP is a free and open source multimedia communication library written in C. A buffer overflow vulnerability in versions 2.13 and prior affects applications that use PJSIP DNS resolver. It doesn't affect PJSIP users who do not utilise PJSIP DNS resolver. This vulnerability is related to CVE-2022-24793. The difference is that this issue is in parsing the query record `parse_query()`, while the issue in CVE-2022-24793 is in `parse_rr()`. A patch is available as commit `d1c5e4d` in the `master` branch. A workaround is to disable DNS resolution in PJSIP config (by setting `nameserver_count` to zero) or use an external resolver implementation instead.
EPSS 0.54% · 67.8th percentile
Risk Scores
CVSS v3.1
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score
0.54%
67.8th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| teluu | pjsip | 0, 0 |
| pjsip | pjproject | <= 2.13, <= 2.13 |
Timeline
- Mar 14, 2023 CVE Published
- Mar 14, 2023 PoC Published
- Mar 15, 2023 EPSS Score
- Apr 23, 2023 EPSS Score
- Jul 9, 2023 EPSS Score
- Aug 16, 2023 EPSS Score
- Sep 24, 2023 EPSS Score
- Dec 10, 2023 EPSS Score
- Jan 18, 2024 EPSS Score
- Feb 26, 2024 EPSS Score
- May 13, 2024 EPSS Score
- Jun 20, 2024 EPSS Score
References
- https://github.com/pjsip/pjproject/security/advisories/GHSA-q9cp-8wcq-7pfr url
- https://github.com/pjsip/pjproject/security/advisories/GHSA-p6g5-v97c-w5q4 url
- https://github.com/pjsip/pjproject/commit/d1c5e4da5bae7f220bc30719888bb389c905c0c5 url
- https://www.pjsip.org/pjlib-util/docs/html/group__PJ__DNS__RESOLVER.htm url
- [debian-lts-announce] 20230418 [SECURITY] [DLA 3394-1] asterisk security update mailing-list
- DSA-5438 vendor-advisory
- [debian-lts-announce] 20230829 [SECURITY] [DLA 3549-1] ring security update mailing-list
- https://lists.debian.org/debian-lts-announce/2024/09/msg00030.html url