// For flags

CVE-2022-21723

Out-of-bounds read in multipart parsing in PJSIP

Severity Score

9.1
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In versions 2.11.1 and prior, parsing an incoming SIP message that contains a malformed multipart can potentially cause out-of-bound read access. This issue affects all PJSIP users that accept SIP multipart. The patch is available as commit in the `master` branch. There are no known workarounds.

PJSIP es una biblioteca de comunicación multimedia gratuita y de código abierto escrita en lenguaje C que implementa protocolos basados en estándares como SIP, SDP, RTP, STUN, TURN e ICE. En las versiones 2.11.1 y anteriores, el análisis de un mensaje SIP entrante que contiene una multiparte malformada puede causar potencialmente un acceso de lectura fuera de límites. Este problema afecta a todos los usuarios de PJSIP que aceptan multipartes SIP. El parche está disponible como commit en la rama "master". No se presentan medidas de mitigación conocidas

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-11-16 CVE Reserved
  • 2022-01-27 CVE Published
  • 2024-08-03 CVE Updated
  • 2024-10-12 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-125: Out-of-bounds Read
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Teluu
Search vendor "Teluu"
 Pjsip
Search vendor "Teluu" for product "Pjsip"
 <= 2.11.1
Search vendor "Teluu" for product "Pjsip" and version " <= 2.11.1"
-
Affected
Asterisk
Search vendor "Asterisk"
 Certified Asterisk
Search vendor "Asterisk" for product "Certified Asterisk"
 16.8.0
Search vendor "Asterisk" for product "Certified Asterisk" and version "16.8.0"
-
Affected
Asterisk
Search vendor "Asterisk"
 Certified Asterisk
Search vendor "Asterisk" for product "Certified Asterisk"
 16.8.0
Search vendor "Asterisk" for product "Certified Asterisk" and version "16.8.0"
cert1
Affected
Asterisk
Search vendor "Asterisk"
 Certified Asterisk
Search vendor "Asterisk" for product "Certified Asterisk"
 16.8.0
Search vendor "Asterisk" for product "Certified Asterisk" and version "16.8.0"
cert10
Affected
Asterisk
Search vendor "Asterisk"
 Certified Asterisk
Search vendor "Asterisk" for product "Certified Asterisk"
 16.8.0
Search vendor "Asterisk" for product "Certified Asterisk" and version "16.8.0"
cert11
Affected
Asterisk
Search vendor "Asterisk"
 Certified Asterisk
Search vendor "Asterisk" for product "Certified Asterisk"
 16.8.0
Search vendor "Asterisk" for product "Certified Asterisk" and version "16.8.0"
cert12
Affected
Asterisk
Search vendor "Asterisk"
 Certified Asterisk
Search vendor "Asterisk" for product "Certified Asterisk"
 16.8.0
Search vendor "Asterisk" for product "Certified Asterisk" and version "16.8.0"
cert2
Affected
Asterisk
Search vendor "Asterisk"
 Certified Asterisk
Search vendor "Asterisk" for product "Certified Asterisk"
 16.8.0
Search vendor "Asterisk" for product "Certified Asterisk" and version "16.8.0"
cert3
Affected
Asterisk
Search vendor "Asterisk"
 Certified Asterisk
Search vendor "Asterisk" for product "Certified Asterisk"
 16.8.0
Search vendor "Asterisk" for product "Certified Asterisk" and version "16.8.0"
cert4
Affected
Asterisk
Search vendor "Asterisk"
 Certified Asterisk
Search vendor "Asterisk" for product "Certified Asterisk"
 16.8.0
Search vendor "Asterisk" for product "Certified Asterisk" and version "16.8.0"
cert5
Affected
Asterisk
Search vendor "Asterisk"
 Certified Asterisk
Search vendor "Asterisk" for product "Certified Asterisk"
 16.8.0
Search vendor "Asterisk" for product "Certified Asterisk" and version "16.8.0"
cert6
Affected
Asterisk
Search vendor "Asterisk"
 Certified Asterisk
Search vendor "Asterisk" for product "Certified Asterisk"
 16.8.0
Search vendor "Asterisk" for product "Certified Asterisk" and version "16.8.0"
cert7
Affected
Asterisk
Search vendor "Asterisk"
 Certified Asterisk
Search vendor "Asterisk" for product "Certified Asterisk"
 16.8.0
Search vendor "Asterisk" for product "Certified Asterisk" and version "16.8.0"
cert8
Affected
Asterisk
Search vendor "Asterisk"
 Certified Asterisk
Search vendor "Asterisk" for product "Certified Asterisk"
 16.8.0
Search vendor "Asterisk" for product "Certified Asterisk" and version "16.8.0"
cert9
Affected
Sangoma
Search vendor "Sangoma"
 Asterisk
Search vendor "Sangoma" for product "Asterisk"
 >= 16.0.0 < 16.24.1
Search vendor "Sangoma" for product "Asterisk" and version " >= 16.0.0 < 16.24.1"
-
Affected
Sangoma
Search vendor "Sangoma"
 Asterisk
Search vendor "Sangoma" for product "Asterisk"
 >= 18.0.0 < 18.10.1
Search vendor "Sangoma" for product "Asterisk" and version " >= 18.0.0 < 18.10.1"
-
Affected
Sangoma
Search vendor "Sangoma"
 Asterisk
Search vendor "Sangoma" for product "Asterisk"
 >= 19.0.0 < 19.2.1
Search vendor "Sangoma" for product "Asterisk" and version " >= 19.0.0 < 19.2.1"
-
Affected
Debian
Search vendor "Debian"
 Debian Linux
Search vendor "Debian" for product "Debian Linux"
 9.0
Search vendor "Debian" for product "Debian Linux" and version "9.0"
-
Affected
Debian
Search vendor "Debian"
 Debian Linux
Search vendor "Debian" for product "Debian Linux"
 10.0
Search vendor "Debian" for product "Debian Linux" and version "10.0"
-
Affected