CVE-2022-24763
published 2022-03-30CVE-2022-24763: PJSIP is a free and open source multimedia communication library written in the C language. Versions 2.12 and prior contain a denial-of-service vulnerability…
PriorityP340high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
2.04%
78.7th percentile
PJSIP is a free and open source multimedia communication library written in the C language. Versions 2.12 and prior contain a denial-of-service vulnerability that affects PJSIP users that consume PJSIP's XML parsing in their apps. Users are advised to update. There are no known workarounds.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | asterisk | < asterisk 1:16.28.0~dfsg-0+deb11u1 (bullseye) | asterisk 1:16.28.0~dfsg-0+deb11u1 (bullseye) |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | ring | < asterisk 1:16.28.0~dfsg-0+deb11u1 (bullseye) | asterisk 1:16.28.0~dfsg-0+deb11u1 (bullseye) |
| pjsip | pjproject | <= 2.12 | — |
| teluu | pjsip | >= 2.5 < 2.13 | 2.13 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv9.8CRITICAL
vendor_debian7.5HIGH
vendor_ubuntu7.3HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
ring vulnerabilities
osv·2023-10-24·CVSS 9.8
CVE-2021-37706 [CRITICAL] ring vulnerabilities
ring vulnerabilities
It was discovered that Ring incorrectly handled certain inputs. If a user or
an automated system were tricked into opening a specially crafted input file,
a remote attacker could possibly use this issue to execute arbitrary code.
(CVE-2021-37706)
It was discovered that Ring incorrectly handled certain inputs. If a user or
an automated system were tricked into opening a specially crafted input file,
a remote attacker could possibly use this issue to cause a denial of service.
(CVE-2023-27585)
Original advisory details:
It was discovered that Ring incorrectly handled certain inputs. If a user or
an automated system were tricked into opening a specially crafted input file,
a remote attacker could possibly use this issue to execute arbitrary code.
(CVE-2021-37706)
I
OSV
ring vulnerabilities
osv·2023-10-09·CVSS 9.8
CVE-2021-37706 [CRITICAL] ring vulnerabilities
ring vulnerabilities
It was discovered that Ring incorrectly handled certain inputs. If a user or
an automated system were tricked into opening a specially crafted input file,
a remote attacker could possibly use this issue to execute arbitrary code.
(CVE-2021-37706)
It was discovered that Ring incorrectly handled certain inputs. If a user or
an automated system were tricked into opening a specially crafted input file,
a remote attacker could possibly use this issue to cause a denial of service.
This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
(CVE-2021-43299, CVE-2021-43300, CVE-2021-43301, CVE-2021-43302,
CVE-2021-43303, CVE-2021-43804, CVE-2021-43845, CVE-2022-21723,
CVE-2022-23537, CVE-2022-23547, CVE-2022-23608, CVE-2022-24754,
CVE-2022-24763, CVE-2022-24764, CVE-2022
OSV
CVE-2022-24763: PJSIP is a free and open source multimedia communication library written in the C language
osv·2022-03-30·CVSS 7.5
CVE-2022-24763 [HIGH] CVE-2022-24763: PJSIP is a free and open source multimedia communication library written in the C language
PJSIP is a free and open source multimedia communication library written in the C language. Versions 2.12 and prior contain a denial-of-service vulnerability that affects PJSIP users that consume PJSIP's XML parsing in their apps. Users are advised to update. There are no known workarounds.
Ubuntu
Ring vulnerabilities
vendor_ubuntu·2023-10-24·CVSS 7.3
CVE-2023-27585 [HIGH] Ring vulnerabilities
Title: Ring vulnerabilities
Summary: Several security issues were fixed in Ring.
It was discovered that Ring incorrectly handled certain inputs. If a user or
an automated system were tricked into opening a specially crafted input file,
a remote attacker could possibly use this issue to execute arbitrary code.
(CVE-2021-37706)
It was discovered that Ring incorrectly handled certain inputs. If a user or
an automated system were tricked into opening a specially crafted input file,
a remote attacker could possibly use this issue to cause a denial of service.
(CVE-2023-27585)
Original advisory details:
It was discovered that Ring incorrectly handled certain inputs. If a user or
an automated system were tricked into opening a specially crafted input file,
a remote attacker could possibly
Ubuntu
Ring vulnerabilities
vendor_ubuntu·2023-10-09·CVSS 7.3
CVE-2021-37706 [HIGH] Ring vulnerabilities
Title: Ring vulnerabilities
Summary: Several security issues were fixed in Ring.
It was discovered that Ring incorrectly handled certain inputs. If a user or
an automated system were tricked into opening a specially crafted input file,
a remote attacker could possibly use this issue to execute arbitrary code.
(CVE-2021-37706)
It was discovered that Ring incorrectly handled certain inputs. If a user or
an automated system were tricked into opening a specially crafted input file,
a remote attacker could possibly use this issue to cause a denial of service.
This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
(CVE-2021-43299, CVE-2021-43300, CVE-2021-43301, CVE-2021-43302,
CVE-2021-43303, CVE-2021-43804, CVE-2021-43845, CVE-2022-21723,
CVE-2022-23537, CVE-2022-23547, CVE-2022-23
Debian
CVE-2022-24763: asterisk - PJSIP is a free and open source multimedia communication library written in the ...
vendor_debian·2022·CVSS 7.5
CVE-2022-24763 [HIGH] CVE-2022-24763: asterisk - PJSIP is a free and open source multimedia communication library written in the ...
PJSIP is a free and open source multimedia communication library written in the C language. Versions 2.12 and prior contain a denial-of-service vulnerability that affects PJSIP users that consume PJSIP's XML parsing in their apps. Users are advised to update. There are no known workarounds.
Scope: local
bullseye: resolved (fixed in 1:16.28.0~dfsg-0+deb11u1)
sid: resolved (fixed in 1:18.14.0~~rc1~dfsg+~cs6.12.40431414-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2021-438450 CVE-2021-438451 CVE-2022-217221 CVE-2022-247541 CVE-2022-247542 CVE-2022-247631 CVE-2022-247633 CVE-2022-247641 CVE-2022-247644 CVE-2022-247931 CVE-2022-247935 asterisk: pjsip: Multipl
bugzilla·2023-02-27·CVSS 8.2
CVE-2021-438450 [HIGH] CVE-2021-438450 CVE-2021-438451 CVE-2022-217221 CVE-2022-247541 CVE-2022-247542 CVE-2022-247631 CVE-2022-247633 CVE-2022-247641 CVE-2022-247644 CVE-2022-247931 CVE-2022-247935 asterisk: pjsip: Multipl
CVE-2021-438450 CVE-2021-438451 CVE-2022-217221 CVE-2022-247541 CVE-2022-247542 CVE-2022-247631 CVE-2022-247633 CVE-2022-247641 CVE-2022-247644 CVE-2022-247931 CVE-2022-247935 asterisk: pjsip: Multiple Vulnerabilities [epel-all]
More information about this security flaw is available in the following bug:
http://bugzilla.redhat.com/show_bug.cgi?id=2173705
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
Use the following template to for the 'fedpkg update' request to submit an
update for this issue as it contains the top-level parent bug(s) as well as
this tracking bug. This will ensure that all associ
Bugzilla
CVE-2021-41141 CVE-2021-43845 CVE-2022-24754 CVE-2022-24763 CVE-2022-24786 CVE-2022-24792 CVE-2022-24793 asterisk: pjsip: Multiple vulnerabilities [epel-all]
bugzilla·2023-02-27·CVSS 5.9
CVE-2021-41141 [MEDIUM] CVE-2021-41141 CVE-2021-43845 CVE-2022-24754 CVE-2022-24763 CVE-2022-24786 CVE-2022-24792 CVE-2022-24793 asterisk: pjsip: Multiple vulnerabilities [epel-all]
CVE-2021-41141 CVE-2021-43845 CVE-2022-24754 CVE-2022-24763 CVE-2022-24786 CVE-2022-24792 CVE-2022-24793 asterisk: pjsip: Multiple vulnerabilities [epel-all]
More information about this security flaw is available in the following bug:
http://bugzilla.redhat.com/show_bug.cgi?id=2173699
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
Use the following template to for the 'fedpkg update' request to submit an
update for this issue as it contains the top-level parent bug(s) as well as
this tracking bug. This will ensure that all associated bugs get updated
when new packages are pushed to stable.
# bugfi
https://github.com/pjsip/pjproject/commit/856f87c2e97a27b256482dbe0d748b1194355a21https://github.com/pjsip/pjproject/security/advisories/GHSA-5x45-qp78-g4p4https://lists.debian.org/debian-lts-announce/2022/05/msg00047.htmlhttps://lists.debian.org/debian-lts-announce/2022/11/msg00021.htmlhttps://lists.debian.org/debian-lts-announce/2023/08/msg00038.htmlhttps://security.gentoo.org/glsa/202210-37https://www.debian.org/security/2022/dsa-5285https://github.com/pjsip/pjproject/commit/856f87c2e97a27b256482dbe0d748b1194355a21https://github.com/pjsip/pjproject/security/advisories/GHSA-5x45-qp78-g4p4https://lists.debian.org/debian-lts-announce/2022/05/msg00047.htmlhttps://lists.debian.org/debian-lts-announce/2022/11/msg00021.htmlhttps://lists.debian.org/debian-lts-announce/2023/08/msg00038.htmlhttps://lists.debian.org/debian-lts-announce/2024/09/msg00030.htmlhttps://security.gentoo.org/glsa/202210-37https://www.debian.org/security/2022/dsa-5285
2022-03-30
Published