CVE-2022-24786Out-of-bounds Read in Pjproject

CWE-125Out-of-bounds ReadCWE-787Out-of-bounds Write5 documents5 sources
Severity
9.8CRITICALNVD
EPSS
0.7%
top 26.99%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Debian AsteriskDebian RingPjsip Pjproject+2 more
Timeline
PublishedApr 6
Latest updateFeb 27

Description

PJSIP is a free and open source multimedia communication library written in C. PJSIP versions 2.12 and prior do not parse incoming RTCP feedback RPSI (Reference Picture Selection Indication) packet, but any app that directly uses pjmedia_rtcp_fb_parse_rpsi() will be affected. A patch is available in the `master` branch of the `pjsip/pjproject` GitHub repository. There are currently no known workarounds.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

NVDpjsip/pjsip2.12
CVEListV5pjsip/pjproject2.12
debiandebian/ring< asterisk 1:16.28.0~dfsg-0+deb11u1 (bullseye)
debiandebian/asterisk< asterisk 1:16.28.0~dfsg-0+deb11u1 (bullseye)

Also affects: Debian Linux 10.0, 9.0

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

1
OSV
CVE-2022-24786: PJSIP is a free and open source multimedia communication library written in C2022-04-06

💥Exploits & PoCs

1
Exploit-DB
Wordpress Plugin Download Monitor WordPress V 4.4.4 - SQL Injection (Authenticated)2022-02-02

📋Vendor Advisories

1
Debian
CVE-2022-24786: asterisk - PJSIP is a free and open source multimedia communication library written in C. P...2022

💬Community

1
Bugzilla
CVE-2021-41141 CVE-2021-43845 CVE-2022-24754 CVE-2022-24763 CVE-2022-24786 CVE-2022-24792 CVE-2022-24793 asterisk: pjsip: Multiple vulnerabilities [epel-all]2023-02-27
CVE-2022-24786 — Out-of-bounds Read in Pjsip Pjproject | cvebase