Lucene search

GitHub_MCVE-2022-24754

HistoryMar 11, 2022 - 8:15 p.m.

CVE-2022-24754

2022-03-1120:15:08

CWE-120

CWE-1284

GitHub_M

web.nvd.nist.gov

119

pjsip

cve-2022-24754

stack-buffer overflow

vulnerability

security

patch

nvd

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.3

Confidence

High

EPSS

0.007

Percentile

80.9%

JSON

PJSIP is a free and open source multimedia communication library written in C language. In versions prior to and including 2.12 PJSIP there is a stack-buffer overflow vulnerability which only impacts PJSIP users who accept hashed digest credentials (credentials with data_type PJSIP_CRED_DATA_DIGEST). This issue has been patched in the master branch of the PJSIP repository and will be included with the next release. Users unable to upgrade need to check that the hashed digest data length must be equal to PJSIP_MD5STRLEN before passing to PJSIP.

Affected configurations

Nvd

Vulners

Node

teluupjsipRange≤2.12

Node

debiandebian_linuxMatch9.0

VendorProductVersionCPE
teluupjsip*cpe:2.3:a:teluu:pjsip:*:*:*:*:*:*:*:*
debiandebian_linux9.0cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
teluu	pjsip	*	cpe:2.3:a:teluu:pjsip::::::::
debian	debian_linux	9.0	cpe:2.3:o:debian:debian_linux:9.0:::::::*

CNA Affected

[
  {
    "vendor": "pjsip",
    "product": "pjproject",
    "versions": [
      {
        "version": "<= 2.12",
        "status": "affected"
      }
    ]
  }
]