CVE-2022-23537
published 2022-12-20CVE-2022-23537: PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN…
PriorityP348critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.03%
59.3th percentile
PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. Buffer overread is possible when parsing a specially crafted STUN message with unknown attribute. The vulnerability affects applications that uses STUN including PJNATH and PJSUA-LIB. The patch is available as a commit in the master branch (2.13.1).
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | asterisk | < asterisk 1:16.28.0~dfsg-0+deb11u2 (bullseye) | asterisk 1:16.28.0~dfsg-0+deb11u2 (bullseye) |
| debian | debian_linux | — | — |
| debian | ring | < asterisk 1:16.28.0~dfsg-0+deb11u2 (bullseye) | asterisk 1:16.28.0~dfsg-0+deb11u2 (bullseye) |
| pjsip | pjproject | <= 2.13 | — |
| teluu | pjsip | < 2.13.1 | 2.13.1 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_ubuntu7.3HIGH
vendor_debian6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
ring vulnerabilities
osv·2023-10-24·CVSS 9.8
CVE-2021-37706 [CRITICAL] ring vulnerabilities
ring vulnerabilities
It was discovered that Ring incorrectly handled certain inputs. If a user or
an automated system were tricked into opening a specially crafted input file,
a remote attacker could possibly use this issue to execute arbitrary code.
(CVE-2021-37706)
It was discovered that Ring incorrectly handled certain inputs. If a user or
an automated system were tricked into opening a specially crafted input file,
a remote attacker could possibly use this issue to cause a denial of service.
(CVE-2023-27585)
Original advisory details:
It was discovered that Ring incorrectly handled certain inputs. If a user or
an automated system were tricked into opening a specially crafted input file,
a remote attacker could possibly use this issue to execute arbitrary code.
(CVE-2021-37706)
I
OSV
ring vulnerabilities
osv·2023-10-09·CVSS 9.8
CVE-2021-37706 [CRITICAL] ring vulnerabilities
ring vulnerabilities
It was discovered that Ring incorrectly handled certain inputs. If a user or
an automated system were tricked into opening a specially crafted input file,
a remote attacker could possibly use this issue to execute arbitrary code.
(CVE-2021-37706)
It was discovered that Ring incorrectly handled certain inputs. If a user or
an automated system were tricked into opening a specially crafted input file,
a remote attacker could possibly use this issue to cause a denial of service.
This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
(CVE-2021-43299, CVE-2021-43300, CVE-2021-43301, CVE-2021-43302,
CVE-2021-43303, CVE-2021-43804, CVE-2021-43845, CVE-2022-21723,
CVE-2022-23537, CVE-2022-23547, CVE-2022-23608, CVE-2022-24754,
CVE-2022-24763, CVE-2022-24764, CVE-2022
OSV
CVE-2022-23537: PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, ST
osv·2022-12-20·CVSS 9.8
CVE-2022-23537 [CRITICAL] CVE-2022-23537: PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, ST
PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. Buffer overread is possible when parsing a specially crafted STUN message with unknown attribute. The vulnerability affects applications that uses STUN including PJNATH and PJSUA-LIB. The patch is available as a commit in the master branch (2.13.1).
Ubuntu
Ring vulnerabilities
vendor_ubuntu·2023-10-24·CVSS 7.3
CVE-2023-27585 [HIGH] Ring vulnerabilities
Title: Ring vulnerabilities
Summary: Several security issues were fixed in Ring.
It was discovered that Ring incorrectly handled certain inputs. If a user or
an automated system were tricked into opening a specially crafted input file,
a remote attacker could possibly use this issue to execute arbitrary code.
(CVE-2021-37706)
It was discovered that Ring incorrectly handled certain inputs. If a user or
an automated system were tricked into opening a specially crafted input file,
a remote attacker could possibly use this issue to cause a denial of service.
(CVE-2023-27585)
Original advisory details:
It was discovered that Ring incorrectly handled certain inputs. If a user or
an automated system were tricked into opening a specially crafted input file,
a remote attacker could possibly
Ubuntu
Ring vulnerabilities
vendor_ubuntu·2023-10-09·CVSS 7.3
CVE-2021-37706 [HIGH] Ring vulnerabilities
Title: Ring vulnerabilities
Summary: Several security issues were fixed in Ring.
It was discovered that Ring incorrectly handled certain inputs. If a user or
an automated system were tricked into opening a specially crafted input file,
a remote attacker could possibly use this issue to execute arbitrary code.
(CVE-2021-37706)
It was discovered that Ring incorrectly handled certain inputs. If a user or
an automated system were tricked into opening a specially crafted input file,
a remote attacker could possibly use this issue to cause a denial of service.
This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
(CVE-2021-43299, CVE-2021-43300, CVE-2021-43301, CVE-2021-43302,
CVE-2021-43303, CVE-2021-43804, CVE-2021-43845, CVE-2022-21723,
CVE-2022-23537, CVE-2022-23547, CVE-2022-23
Debian
CVE-2022-23537: asterisk - PJSIP is a free and open source multimedia communication library written in C la...
vendor_debian·2022·CVSS 6.5
CVE-2022-23537 [MEDIUM] CVE-2022-23537: asterisk - PJSIP is a free and open source multimedia communication library written in C la...
PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. Buffer overread is possible when parsing a specially crafted STUN message with unknown attribute. The vulnerability affects applications that uses STUN including PJNATH and PJSUA-LIB. The patch is available as a commit in the master branch (2.13.1).
Scope: local
bullseye: resolved (fixed in 1:16.28.0~dfsg-0+deb11u2)
sid: resolved (fixed in 1:20.4.0~dfsg+~cs6.13.40431414-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/pjsip/pjproject/commit/d8440f4d711a654b511f50f79c0445b26f9dd1e1https://github.com/pjsip/pjproject/security/advisories/GHSA-9pfh-r8x4-w26whttps://lists.debian.org/debian-lts-announce/2023/08/msg00038.htmlhttps://github.com/pjsip/pjproject/commit/d8440f4d711a654b511f50f79c0445b26f9dd1e1https://github.com/pjsip/pjproject/security/advisories/GHSA-9pfh-r8x4-w26whttps://lists.debian.org/debian-lts-announce/2023/08/msg00038.htmlhttps://lists.debian.org/debian-lts-announce/2024/09/msg00030.html
2022-12-20
Published