CVE-2021-43845 — Out-of-bounds Read in Pjproject

CWE-125 — Out-of-bounds Read9 documents5 sources

Severity

9.1CRITICALNVD

OSV9.8

EPSS

0.3%

top 47.94%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Asterisk Debian Ring Pjsip Pjproject +2 more

Timeline

PublishedDec 27

Latest updateOct 24

Description

PJSIP is a free and open source multimedia communication library. In version 2.11.1 and prior, if incoming RTCP XR message contain block, the data field is not checked against the received packet size, potentially resulting in an out-of-bound read access. This affects all users that use PJMEDIA and RTCP XR. A malicious actor can send a RTCP XR message with an invalid packet size.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:HExploitability: 3.9 | Impact: 5.2

Affected Packages4 packages

▶NVDteluu/pjsip2.11.1

▶CVEListV5pjsip/pjproject2.11.1

▶debiandebian/ring< asterisk 1:16.28.0~dfsg-0+deb11u1 (bullseye)

▶debiandebian/asterisk< asterisk 1:16.28.0~dfsg-0+deb11u1 (bullseye)

Also affects: Debian Linux 10.0, 11.0, 9.0

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

ring vulnerabilities↗2023-10-24

▶

OSV

ring vulnerabilities↗2023-10-09

▶

OSV

CVE-2021-43845: PJSIP is a free and open source multimedia communication library↗2021-12-27

▶

📋Vendor Advisories

Ubuntu

Ring vulnerabilities↗2023-10-24

▶

Ubuntu

Ring vulnerabilities↗2023-10-09

▶

Debian

CVE-2021-43845: asterisk - PJSIP is a free and open source multimedia communication library. In version 2.1...↗2021

▶

💬Community

Bugzilla

CVE-2021-438450 CVE-2021-438451 CVE-2022-217221 CVE-2022-247541 CVE-2022-247542 CVE-2022-247631 CVE-2022-247633 CVE-2022-247641 CVE-2022-247644 CVE-2022-247931 CVE-2022-247935 asterisk: pjsip: Multipl↗2023-02-27

▶

Bugzilla

CVE-2021-41141 CVE-2021-43845 CVE-2022-24754 CVE-2022-24763 CVE-2022-24786 CVE-2022-24792 CVE-2022-24793 asterisk: pjsip: Multiple vulnerabilities [epel-all]↗2023-02-27

▶