CVE-2023-38703
published 2023-10-06CVE-2023-38703: PJSIP is a free and open source multimedia communication library written in C with high level API in C, C++, Java, C#, and Python languages. SRTP is a higher…
PriorityP351critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.28%
66.4th percentile
PJSIP is a free and open source multimedia communication library written in C with high level API in C, C++, Java, C#, and Python languages. SRTP is a higher level media transport which is stacked upon a lower level media transport such as UDP and ICE. Currently a higher level transport is not synchronized with its lower level transport that may introduce use-after-free issue. This vulnerability affects applications that have SRTP capability (`PJMEDIA_HAS_SRTP` is set) and use underlying media transport other than UDP. This vulnerability’s impact may range from unexpected application termination to control flow hijack/memory corruption. The patch is available as a commit in the master branch.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | asterisk | < asterisk 1:16.28.0~dfsg-0+deb11u4 (bullseye) | asterisk 1:16.28.0~dfsg-0+deb11u4 (bullseye) |
| debian | ring | < asterisk 1:16.28.0~dfsg-0+deb11u4 (bullseye) | asterisk 1:16.28.0~dfsg-0+deb11u4 (bullseye) |
| pjsip | pjproject | <= 2.13.1 | — |
| teluu | pjsip | <= 2.13.1 | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2023-38703: PJSIP is a free and open source multimedia communication library written in C with high level API in C, C++, Java, C#, and Python languages
osv·2023-10-06·CVSS 9.8
CVE-2023-38703 [CRITICAL] CVE-2023-38703: PJSIP is a free and open source multimedia communication library written in C with high level API in C, C++, Java, C#, and Python languages
PJSIP is a free and open source multimedia communication library written in C with high level API in C, C++, Java, C#, and Python languages. SRTP is a higher level media transport which is stacked upon a lower level media transport such as UDP and ICE. Currently a higher level transport is not synchronized with its lower level transport that may introduce use-after-free issue. This vulnerability affects applications that have SRTP capability (`PJMEDIA_HAS_SRTP` is set) and use underlying media transport other than UDP. This vulnerability’s impact may range from unexpected application termination to control flow hijack/memory corruption. The patch is available as a commit in the master branch.
Debian
CVE-2023-38703: asterisk - PJSIP is a free and open source multimedia communication library written in C wi...
vendor_debian·2023·CVSS 9.8
CVE-2023-38703 [CRITICAL] CVE-2023-38703: asterisk - PJSIP is a free and open source multimedia communication library written in C wi...
PJSIP is a free and open source multimedia communication library written in C with high level API in C, C++, Java, C#, and Python languages. SRTP is a higher level media transport which is stacked upon a lower level media transport such as UDP and ICE. Currently a higher level transport is not synchronized with its lower level transport that may introduce use-after-free issue. This vulnerability affects applications that have SRTP capability (`PJMEDIA_HAS_SRTP` is set) and use underlying media transport other than UDP. This vulnerability’s impact may range from unexpected application termination to control flow hijack/memory corruption. The patch is available as a commit in the master branch.
Scope: local
bullseye: resolved (fixed in 1:16.28.0~dfsg-0+deb11u4)
sid: resolved (fixed in 1:20.8
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/pjsip/pjproject/commit/6dc9b8c181aff39845f02b4626e0812820d4ef0dhttps://github.com/pjsip/pjproject/security/advisories/GHSA-f76w-fh7c-pc66https://lists.debian.org/debian-lts-announce/2023/12/msg00019.htmlhttps://github.com/pjsip/pjproject/commit/6dc9b8c181aff39845f02b4626e0812820d4ef0dhttps://github.com/pjsip/pjproject/security/advisories/GHSA-f76w-fh7c-pc66https://lists.debian.org/debian-lts-announce/2023/12/msg00019.html
2023-10-06
Published