CVE-2022-39269Cleartext Transmission of Sensitive Info in Pjsip

CWE-319Cleartext Transmission of Sensitive Info3 documents3 sources
Severity
9.1CRITICALNVD
EPSS
0.2%
top 55.51%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
PjsipDebian AsteriskDebian Ring+1 more
Timeline
PublishedOct 6

Description

PJSIP is a free and open source multimedia communication library written in C. When processing certain packets, PJSIP may incorrectly switch from using SRTP media transport to using basic RTP upon SRTP restart, causing the media to be sent insecurely. The vulnerability impacts all PJSIP users that use SRTP. The patch is available as commit d2acb9a in the master branch of the project and will be included in version 2.13. Users are advised to manually patch or to upgrade. There are no known workar

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2

Affected Packages4 packages

CVEListV5pjsip/pjproject>= 2.11, < 2.13
NVDpjsip/pjsip2.112.13
debiandebian/ring< asterisk 1:16.28.0~dfsg-0+deb11u2 (bullseye)
debiandebian/asterisk< asterisk 1:16.28.0~dfsg-0+deb11u2 (bullseye)

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

1
OSV
CVE-2022-39269: PJSIP is a free and open source multimedia communication library written in C2022-10-06

📋Vendor Advisories

1
Debian
CVE-2022-39269: asterisk - PJSIP is a free and open source multimedia communication library written in C. W...2022
CVE-2022-39269 — Pjsip vulnerability | cvebase