CVE-2022-23537

Name
CVE-2022-23537
Description
PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. Buffer overread is possible when parsing a specially crafted STUN message with unknown attribute. The vulnerability affects applications that uses STUN including PJNATH and PJSUA-LIB. The patch is available as a commit in the master branch (2.13.1).
NVD Severity
unknown
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://github.com/pjsip/pjproject/security/advisories/GHSA-9pfh-r8x4-w26w
MISC https://github.com/pjsip/pjproject/commit/d8440f4d711a654b511f50f79c0445b26f9dd1e1
MISC https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:teluu:pjsip:*:*:*:*:*:*:*:* pjsip >= None < 2.13.1

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
asterisk 3.18-main 18.20.2-r0 Timo Teras <timo.teras@iki.fi> fixed
asterisk 3.17-main 18.20.2-r0 Timo Teras <timo.teras@iki.fi> fixed
asterisk 3.16-main 18.20.2-r0 Timo Teras <timo.teras@iki.fi> fixed