CVE-2020-15260Improper Validation of Certificate with Host Mismatch in Pjproject

CWE-297Improper Validation of Certificate with Host MismatchCWE-295Improper Certificate Validation5 documents4 sources
Severity
6.8MEDIUMNVD
OSV9.8
EPSS
0.2%
top 59.82%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Pjsip PjprojectDebian RingTeluu Pjsip
Timeline
PublishedMar 10
Latest updateMar 24

Description

PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In version 2.10 and earlier, PJSIP transport can be reused if they have the same IP address + port + protocol. However, this is insufficient for secure transport since it lacks remote hostname authentication. Suppose we have created a TLS connection to `sip.foo.com`, which has an IP address `100.1.1.1`. If we want to create a TLS

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:NExploitability: 2.2 | Impact: 4.0

Affected Packages4 packages

Ubuntupjsip/pjproject< 2.1.0.0.ast20130823-1+deb8u1ubuntu0.1~esm1+1
NVDteluu/pjsip2.10
CVEListV5pjsip/pjproject2.10
debiandebian/ring< ring 20210112.2.b757bac~ds1-1 (bookworm)

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

2
OSV
pjproject vulnerabilities2026-03-24
OSV
CVE-2020-15260: PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, ST2021-03-10

📋Vendor Advisories

2
Ubuntu
PJSIP vulnerabilities2026-03-24
Debian
CVE-2020-15260: ring - PJSIP is a free and open source multimedia communication library written in C la...2020
CVE-2020-15260 — Pjsip Pjproject vulnerability | cvebase