CVE-2022-24793
published 2022-04-06CVE-2022-24793: PJSIP is a free and open source multimedia communication library written in C. A buffer overflow vulnerability in versions 2.12 and prior affects applications…
PriorityP343high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
2.11%
79.5th percentile
PJSIP is a free and open source multimedia communication library written in C. A buffer overflow vulnerability in versions 2.12 and prior affects applications that use PJSIP DNS resolution. It doesn't affect PJSIP users who utilize an external resolver. This vulnerability is related to CVE-2023-27585. The difference is that this issue is in parsing the query record `parse_rr()`, while the issue in CVE-2023-27585 is in `parse_query()`. A patch is available in the `master` branch of the `pjsip/pjproject` GitHub repository. A workaround is to disable DNS resolution in PJSIP config (by setting `nameserver_count` to zero) or use an external resolver instead.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | asterisk | < asterisk 1:16.28.0~dfsg-0+deb11u1 (bullseye) | asterisk 1:16.28.0~dfsg-0+deb11u1 (bullseye) |
| debian | asterisk | < asterisk 1:16.28.0~dfsg-0+deb11u3 (bullseye) | asterisk 1:16.28.0~dfsg-0+deb11u3 (bullseye) |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | ring | < asterisk 1:16.28.0~dfsg-0+deb11u1 (bullseye) | asterisk 1:16.28.0~dfsg-0+deb11u1 (bullseye) |
| debian | ring | < asterisk 1:16.28.0~dfsg-0+deb11u3 (bullseye) | asterisk 1:16.28.0~dfsg-0+deb11u3 (bullseye) |
| pjsip | pjproject | <= 2.13 | — |
| pjsip | pjsip | <= 2.12 | — |
| teluu | pjsip | < 2.13 | 2.13 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:N/A:P
osv9.8CRITICAL
vendor_debian7.5HIGH
vendor_ubuntu7.3HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
ring vulnerabilities
osv·2023-10-24·CVSS 9.8
CVE-2021-37706 [CRITICAL] ring vulnerabilities
ring vulnerabilities
It was discovered that Ring incorrectly handled certain inputs. If a user or
an automated system were tricked into opening a specially crafted input file,
a remote attacker could possibly use this issue to execute arbitrary code.
(CVE-2021-37706)
It was discovered that Ring incorrectly handled certain inputs. If a user or
an automated system were tricked into opening a specially crafted input file,
a remote attacker could possibly use this issue to cause a denial of service.
(CVE-2023-27585)
Original advisory details:
It was discovered that Ring incorrectly handled certain inputs. If a user or
an automated system were tricked into opening a specially crafted input file,
a remote attacker could possibly use this issue to execute arbitrary code.
(CVE-2021-37706)
I
OSV
ring vulnerabilities
osv·2023-10-09·CVSS 9.8
CVE-2021-37706 [CRITICAL] ring vulnerabilities
ring vulnerabilities
It was discovered that Ring incorrectly handled certain inputs. If a user or
an automated system were tricked into opening a specially crafted input file,
a remote attacker could possibly use this issue to execute arbitrary code.
(CVE-2021-37706)
It was discovered that Ring incorrectly handled certain inputs. If a user or
an automated system were tricked into opening a specially crafted input file,
a remote attacker could possibly use this issue to cause a denial of service.
This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
(CVE-2021-43299, CVE-2021-43300, CVE-2021-43301, CVE-2021-43302,
CVE-2021-43303, CVE-2021-43804, CVE-2021-43845, CVE-2022-21723,
CVE-2022-23537, CVE-2022-23547, CVE-2022-23608, CVE-2022-24754,
CVE-2022-24763, CVE-2022-24764, CVE-2022
OSV
CVE-2023-27585: PJSIP is a free and open source multimedia communication library written in C
osv·2023-03-14·CVSS 7.5
CVE-2023-27585 [HIGH] CVE-2023-27585: PJSIP is a free and open source multimedia communication library written in C
PJSIP is a free and open source multimedia communication library written in C. A buffer overflow vulnerability in versions 2.13 and prior affects applications that use PJSIP DNS resolver. It doesn't affect PJSIP users who do not utilise PJSIP DNS resolver. This vulnerability is related to CVE-2022-24793. The difference is that this issue is in parsing the query record `parse_query()`, while the issue in CVE-2022-24793 is in `parse_rr()`. A patch is available as commit `d1c5e4d` in the `master` branch. A workaround is to disable DNS resolution in PJSIP config (by setting `nameserver_count` to zero) or use an external resolver implementation instead.
OSV
CVE-2022-24793: PJSIP is a free and open source multimedia communication library written in C
osv·2022-04-06·CVSS 7.5
CVE-2022-24793 [HIGH] CVE-2022-24793: PJSIP is a free and open source multimedia communication library written in C
PJSIP is a free and open source multimedia communication library written in C. A buffer overflow vulnerability in versions 2.12 and prior affects applications that use PJSIP DNS resolution. It doesn't affect PJSIP users who utilize an external resolver. This vulnerability is related to CVE-2023-27585. The difference is that this issue is in parsing the query record `parse_rr()`, while the issue in CVE-2023-27585 is in `parse_query()`. A patch is available in the `master` branch of the `pjsip/pjproject` GitHub repository. A workaround is to disable DNS resolution in PJSIP config (by setting `nameserver_count` to zero) or use an external resolver instead.
Ubuntu
Ring vulnerabilities
vendor_ubuntu·2023-10-24·CVSS 7.3
CVE-2023-27585 [HIGH] Ring vulnerabilities
Title: Ring vulnerabilities
Summary: Several security issues were fixed in Ring.
It was discovered that Ring incorrectly handled certain inputs. If a user or
an automated system were tricked into opening a specially crafted input file,
a remote attacker could possibly use this issue to execute arbitrary code.
(CVE-2021-37706)
It was discovered that Ring incorrectly handled certain inputs. If a user or
an automated system were tricked into opening a specially crafted input file,
a remote attacker could possibly use this issue to cause a denial of service.
(CVE-2023-27585)
Original advisory details:
It was discovered that Ring incorrectly handled certain inputs. If a user or
an automated system were tricked into opening a specially crafted input file,
a remote attacker could possibly
Ubuntu
Ring vulnerabilities
vendor_ubuntu·2023-10-09·CVSS 7.3
CVE-2021-37706 [HIGH] Ring vulnerabilities
Title: Ring vulnerabilities
Summary: Several security issues were fixed in Ring.
It was discovered that Ring incorrectly handled certain inputs. If a user or
an automated system were tricked into opening a specially crafted input file,
a remote attacker could possibly use this issue to execute arbitrary code.
(CVE-2021-37706)
It was discovered that Ring incorrectly handled certain inputs. If a user or
an automated system were tricked into opening a specially crafted input file,
a remote attacker could possibly use this issue to cause a denial of service.
This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
(CVE-2021-43299, CVE-2021-43300, CVE-2021-43301, CVE-2021-43302,
CVE-2021-43303, CVE-2021-43804, CVE-2021-43845, CVE-2022-21723,
CVE-2022-23537, CVE-2022-23547, CVE-2022-23
Debian
CVE-2023-27585: asterisk - PJSIP is a free and open source multimedia communication library written in C. A...
vendor_debian·2023·CVSS 7.5
CVE-2023-27585 [HIGH] CVE-2023-27585: asterisk - PJSIP is a free and open source multimedia communication library written in C. A...
PJSIP is a free and open source multimedia communication library written in C. A buffer overflow vulnerability in versions 2.13 and prior affects applications that use PJSIP DNS resolver. It doesn't affect PJSIP users who do not utilise PJSIP DNS resolver. This vulnerability is related to CVE-2022-24793. The difference is that this issue is in parsing the query record `parse_query()`, while the issue in CVE-2022-24793 is in `parse_rr()`. A patch is available as commit `d1c5e4d` in the `master` branch. A workaround is to disable DNS resolution in PJSIP config (by setting `nameserver_count` to zero) or use an external resolver implementation instead.
Scope: local
bullseye: resolved (fixed in 1:16.28.0~dfsg-0+deb11u3)
sid: resolved (fixed in 1:20.4.0~dfsg+~cs6.13.40431414-1)
Debian
CVE-2022-24793: asterisk - PJSIP is a free and open source multimedia communication library written in C. A...
vendor_debian·2022·CVSS 7.5
CVE-2022-24793 [HIGH] CVE-2022-24793: asterisk - PJSIP is a free and open source multimedia communication library written in C. A...
PJSIP is a free and open source multimedia communication library written in C. A buffer overflow vulnerability in versions 2.12 and prior affects applications that use PJSIP DNS resolution. It doesn't affect PJSIP users who utilize an external resolver. This vulnerability is related to CVE-2023-27585. The difference is that this issue is in parsing the query record `parse_rr()`, while the issue in CVE-2023-27585 is in `parse_query()`. A patch is available in the `master` branch of the `pjsip/pjproject` GitHub repository. A workaround is to disable DNS resolution in PJSIP config (by setting `nameserver_count` to zero) or use an external resolver instead.
Scope: local
bullseye: resolved (fixed in 1:16.28.0~dfsg-0+deb11u1)
sid: resolved (fixed in 1:18.14.0~~rc1~dfsg+~cs6.12.40431414-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2021-438450 CVE-2021-438451 CVE-2022-217221 CVE-2022-247541 CVE-2022-247542 CVE-2022-247631 CVE-2022-247633 CVE-2022-247641 CVE-2022-247644 CVE-2022-247931 CVE-2022-247935 asterisk: pjsip: Multipl
bugzilla·2023-02-27·CVSS 8.2
CVE-2021-438450 [HIGH] CVE-2021-438450 CVE-2021-438451 CVE-2022-217221 CVE-2022-247541 CVE-2022-247542 CVE-2022-247631 CVE-2022-247633 CVE-2022-247641 CVE-2022-247644 CVE-2022-247931 CVE-2022-247935 asterisk: pjsip: Multipl
CVE-2021-438450 CVE-2021-438451 CVE-2022-217221 CVE-2022-247541 CVE-2022-247542 CVE-2022-247631 CVE-2022-247633 CVE-2022-247641 CVE-2022-247644 CVE-2022-247931 CVE-2022-247935 asterisk: pjsip: Multiple Vulnerabilities [epel-all]
More information about this security flaw is available in the following bug:
http://bugzilla.redhat.com/show_bug.cgi?id=2173705
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
Use the following template to for the 'fedpkg update' request to submit an
update for this issue as it contains the top-level parent bug(s) as well as
this tracking bug. This will ensure that all associ
Bugzilla
CVE-2021-41141 CVE-2021-43845 CVE-2022-24754 CVE-2022-24763 CVE-2022-24786 CVE-2022-24792 CVE-2022-24793 asterisk: pjsip: Multiple vulnerabilities [epel-all]
bugzilla·2023-02-27·CVSS 5.9
CVE-2021-41141 [MEDIUM] CVE-2021-41141 CVE-2021-43845 CVE-2022-24754 CVE-2022-24763 CVE-2022-24786 CVE-2022-24792 CVE-2022-24793 asterisk: pjsip: Multiple vulnerabilities [epel-all]
CVE-2021-41141 CVE-2021-43845 CVE-2022-24754 CVE-2022-24763 CVE-2022-24786 CVE-2022-24792 CVE-2022-24793 asterisk: pjsip: Multiple vulnerabilities [epel-all]
More information about this security flaw is available in the following bug:
http://bugzilla.redhat.com/show_bug.cgi?id=2173699
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
Use the following template to for the 'fedpkg update' request to submit an
update for this issue as it contains the top-level parent bug(s) as well as
this tracking bug. This will ensure that all associated bugs get updated
when new packages are pushed to stable.
# bugfi
https://github.com/pjsip/pjproject/commit/9fae8f43accef8ea65d4a8ae9cdf297c46cfe29ahttps://github.com/pjsip/pjproject/security/advisories/GHSA-p6g5-v97c-w5q4https://lists.debian.org/debian-lts-announce/2022/05/msg00047.htmlhttps://lists.debian.org/debian-lts-announce/2022/11/msg00021.htmlhttps://lists.debian.org/debian-lts-announce/2023/08/msg00038.htmlhttps://security.gentoo.org/glsa/202210-37https://www.debian.org/security/2022/dsa-5285https://github.com/pjsip/pjproject/commit/9fae8f43accef8ea65d4a8ae9cdf297c46cfe29ahttps://github.com/pjsip/pjproject/security/advisories/GHSA-p6g5-v97c-w5q4https://lists.debian.org/debian-lts-announce/2022/05/msg00047.htmlhttps://lists.debian.org/debian-lts-announce/2022/11/msg00021.htmlhttps://lists.debian.org/debian-lts-announce/2023/08/msg00038.htmlhttps://lists.debian.org/debian-lts-announce/2024/09/msg00030.htmlhttps://security.gentoo.org/glsa/202210-37https://www.debian.org/security/2022/dsa-5285
2022-04-06
Published