CVE-2022-39269
published 2022-10-06CVE-2022-39269: PJSIP is a free and open source multimedia communication library written in C. When processing certain packets, PJSIP may incorrectly switch from using SRTP…
PriorityP349critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
0.53%
40.9th percentile
PJSIP is a free and open source multimedia communication library written in C. When processing certain packets, PJSIP may incorrectly switch from using SRTP media transport to using basic RTP upon SRTP restart, causing the media to be sent insecurely. The vulnerability impacts all PJSIP users that use SRTP. The patch is available as commit d2acb9a in the master branch of the project and will be included in version 2.13. Users are advised to manually patch or to upgrade. There are no known workarounds for this vulnerability.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | asterisk | < asterisk 1:16.28.0~dfsg-0+deb11u2 (bullseye) | asterisk 1:16.28.0~dfsg-0+deb11u2 (bullseye) |
| debian | ring | < asterisk 1:16.28.0~dfsg-0+deb11u2 (bullseye) | asterisk 1:16.28.0~dfsg-0+deb11u2 (bullseye) |
| pjsip | pjproject | — | — |
| teluu | pjsip | >= 2.11 < 2.13 | 2.13 |
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
osv9.1CRITICAL
vendor_debian9.1CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2022-39269: asterisk - PJSIP is a free and open source multimedia communication library written in C. W...
vendor_debian·2022·CVSS 9.1
CVE-2022-39269 [CRITICAL] CVE-2022-39269: asterisk - PJSIP is a free and open source multimedia communication library written in C. W...
PJSIP is a free and open source multimedia communication library written in C. When processing certain packets, PJSIP may incorrectly switch from using SRTP media transport to using basic RTP upon SRTP restart, causing the media to be sent insecurely. The vulnerability impacts all PJSIP users that use SRTP. The patch is available as commit d2acb9a in the master branch of the project and will be included in version 2.13. Users are advised to manually patch or to upgrade. There are no known workarounds for this vulnerability.
Scope: local
bullseye: resolved (fixed in 1:16.28.0~dfsg-0+deb11u2)
sid: resolved (fixed in 1:20.3.0~dfsg+~cs6.13.40431413-1)
OSV
CVE-2022-39269: PJSIP is a free and open source multimedia communication library written in C
osv·2022-10-06·CVSS 9.1
CVE-2022-39269 [CRITICAL] CVE-2022-39269: PJSIP is a free and open source multimedia communication library written in C
PJSIP is a free and open source multimedia communication library written in C. When processing certain packets, PJSIP may incorrectly switch from using SRTP media transport to using basic RTP upon SRTP restart, causing the media to be sent insecurely. The vulnerability impacts all PJSIP users that use SRTP. The patch is available as commit d2acb9a in the master branch of the project and will be included in version 2.13. Users are advised to manually patch or to upgrade. There are no known workarounds for this vulnerability.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/pjsip/pjproject/commit/d2acb9af4e27b5ba75d658690406cec9c274c5cchttps://github.com/pjsip/pjproject/security/advisories/GHSA-wx5m-cj97-4wwghttps://lists.debian.org/debian-lts-announce/2023/02/msg00029.htmlhttps://security.gentoo.org/glsa/202210-37https://www.debian.org/security/2023/dsa-5358https://github.com/pjsip/pjproject/commit/d2acb9af4e27b5ba75d658690406cec9c274c5cchttps://github.com/pjsip/pjproject/security/advisories/GHSA-wx5m-cj97-4wwghttps://lists.debian.org/debian-lts-announce/2023/02/msg00029.htmlhttps://security.gentoo.org/glsa/202210-37https://www.debian.org/security/2023/dsa-5358
2022-10-06
Published