GitHub_MCVELIST:CVE-2021-32686CVE-2021-32686 Denial of Service in PJSIP
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
6.7 Medium
AI Score
Confidence
High
0.006 Low
EPSS
Percentile
77.8%
PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In PJSIP before version 2.11.1, there are a couple of issues found in the SSL socket. First, a race condition between callback and destroy, due to the accepted socket having no group lock. Second, the SSL socket parent/listener may get destroyed during handshake. Both issues were reported to happen intermittently in heavy load TLS connections. They cause a crash, resulting in a denial of service. These are fixed in version 2.11.1.
CNA Affected
[
{
"vendor": "pjsip",
"product": "pjproject",
"versions": [
{
"version": "< 2.11.1",
"status": "affected"
}
]
}
]References
github.com/pjsip/pjproject/commit/d5f95aa066f878b0aef6a64e60b61e8626e664cd
github.com/pjsip/pjproject/pull/2716
github.com/pjsip/pjproject/releases/tag/2.11.1
github.com/pjsip/pjproject/security/advisories/GHSA-cv8x-p47p-99wr
lists.debian.org/debian-lts-announce/2022/03/msg00035.html
security.gentoo.org/glsa/202210-37
www.debian.org/security/2021/dsa-4999
Related
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
6.7 Medium
AI Score
Confidence
High
0.006 Low
EPSS
Percentile
77.8%