cbcvebase.
CVE-2023-38703
published 2023-10-06

CVE-2023-38703: PJSIP is a free and open source multimedia communication library written in C with high level API in C, C++, Java, C#, and Python languages. SRTP is a higher…

PriorityP351critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.28%
66.4th percentile
PJSIP is a free and open source multimedia communication library written in C with high level API in C, C++, Java, C#, and Python languages. SRTP is a higher level media transport which is stacked upon a lower level media transport such as UDP and ICE. Currently a higher level transport is not synchronized with its lower level transport that may introduce use-after-free issue. This vulnerability affects applications that have SRTP capability (`PJMEDIA_HAS_SRTP` is set) and use underlying media transport other than UDP. This vulnerability’s impact may range from unexpected application termination to control flow hijack/memory corruption. The patch is available as a commit in the master branch.

Affected

4 ranges
VendorProductVersion rangeFixed in
debianasterisk< asterisk 1:16.28.0~dfsg-0+deb11u4 (bullseye)asterisk 1:16.28.0~dfsg-0+deb11u4 (bullseye)
debianring< asterisk 1:16.28.0~dfsg-0+deb11u4 (bullseye)asterisk 1:16.28.0~dfsg-0+deb11u4 (bullseye)
pjsippjproject<= 2.13.1
teluupjsip<= 2.13.1

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.