CVE-2022-31002 — Out-of-bounds Read in Sofia-sip

CWE-125 — Out-of-bounds Read5 documents4 sources

Severity

7.5HIGHNVD

EPSS

0.2%

top 53.64%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Freeswitch Sofia-sip Signalwire Sofia-sip Debian Sofia-sip +1 more

Timeline

PublishedMay 31

Latest updateMar 7

Description

Sofia-SIP is an open-source Session Initiation Protocol (SIP) User-Agent library. Prior to version 1.13.8, an attacker can send a message with evil sdp to FreeSWITCH, which may cause a crash. This type of crash may be caused by a URL ending with `%`. Version 1.13.8 contains a patch for this issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

▶CVEListV5freeswitch/sofia-sip< 1.13.8

▶Debianfreeswitch/sofia-sip< 1.12.11+20110422.1-2.1+deb11u1+3

▶Ubuntufreeswitch/sofia-sip< 1.12.11+20110422.1-2.1+deb10u3build0.18.04.1+3

▶debiandebian/sofia-sip< sofia-sip 1.12.11+20110422.1+1e14eea~dfsg-3 (bookworm)

▶NVDsignalwire/sofia-sip< 1.13.8

Also affects: Debian Linux 10.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

sofia-sip vulnerabilities↗2023-03-07

▶

OSV

CVE-2022-31002: Sofia-SIP is an open-source Session Initiation Protocol (SIP) User-Agent library↗2022-05-31

▶

📋Vendor Advisories

Ubuntu

Sofia-SIP vulnerabilities↗2023-03-07

▶

Debian

CVE-2022-31002: sofia-sip - Sofia-SIP is an open-source Session Initiation Protocol (SIP) User-Agent library...↗2022

▶