CVE-2022-21723
Out-of-bounds read in multipart parsing in PJSIP
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In versions 2.11.1 and prior, parsing an incoming SIP message that contains a malformed multipart can potentially cause out-of-bound read access. This issue affects all PJSIP users that accept SIP multipart. The patch is available as commit in the `master` branch. There are no known workarounds.
PJSIP es una biblioteca de comunicación multimedia gratuita y de código abierto escrita en lenguaje C que implementa protocolos basados en estándares como SIP, SDP, RTP, STUN, TURN e ICE. En las versiones 2.11.1 y anteriores, el análisis de un mensaje SIP entrante que contiene una multiparte malformada puede causar potencialmente un acceso de lectura fuera de límites. Este problema afecta a todos los usuarios de PJSIP que aceptan multipartes SIP. El parche está disponible como commit en la rama "master". No se presentan medidas de mitigación conocidas
If an incoming SIP message contains a malformed multi-part body an out-of-bounds read access may occur, which can result in undefined behavior. Note, it is currently uncertain if there is any externally exploitable vector within Asterisk for this issue, but they are providing this as a security issue out of caution.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-11-16 CVE Reserved
- 2022-01-27 CVE Published
- 2024-08-03 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-125: Out-of-bounds Read
CAPEC
References (9)
| URL | Tag | Source |
|---|---|---|
| http://packetstormsecurity.com/files/166227/Asterisk-Project-Security-Advisory-AST-2022-006.html | Third Party Advisory |
|
| https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html | Mailing List |
|
| https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html | Mailing List |
|
| https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html | Mailing List |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://security.gentoo.org/glsa/202210-37 | 2023-08-30 | |
| https://www.debian.org/security/2022/dsa-5285 | 2023-08-30 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Teluu Search vendor "Teluu" | Pjsip Search vendor "Teluu" for product "Pjsip" | <= 2.11.1 Search vendor "Teluu" for product "Pjsip" and version " <= 2.11.1" | - |
Affected
| ||||||
| Asterisk Search vendor "Asterisk" | Certified Asterisk Search vendor "Asterisk" for product "Certified Asterisk" | 16.8.0 Search vendor "Asterisk" for product "Certified Asterisk" and version "16.8.0" | - |
Affected
| ||||||
| Asterisk Search vendor "Asterisk" | Certified Asterisk Search vendor "Asterisk" for product "Certified Asterisk" | 16.8.0 Search vendor "Asterisk" for product "Certified Asterisk" and version "16.8.0" | cert1 |
Affected
| ||||||
| Asterisk Search vendor "Asterisk" | Certified Asterisk Search vendor "Asterisk" for product "Certified Asterisk" | 16.8.0 Search vendor "Asterisk" for product "Certified Asterisk" and version "16.8.0" | cert10 |
Affected
| ||||||
| Asterisk Search vendor "Asterisk" | Certified Asterisk Search vendor "Asterisk" for product "Certified Asterisk" | 16.8.0 Search vendor "Asterisk" for product "Certified Asterisk" and version "16.8.0" | cert11 |
Affected
| ||||||
| Asterisk Search vendor "Asterisk" | Certified Asterisk Search vendor "Asterisk" for product "Certified Asterisk" | 16.8.0 Search vendor "Asterisk" for product "Certified Asterisk" and version "16.8.0" | cert12 |
Affected
| ||||||
| Asterisk Search vendor "Asterisk" | Certified Asterisk Search vendor "Asterisk" for product "Certified Asterisk" | 16.8.0 Search vendor "Asterisk" for product "Certified Asterisk" and version "16.8.0" | cert2 |
Affected
| ||||||
| Asterisk Search vendor "Asterisk" | Certified Asterisk Search vendor "Asterisk" for product "Certified Asterisk" | 16.8.0 Search vendor "Asterisk" for product "Certified Asterisk" and version "16.8.0" | cert3 |
Affected
| ||||||
| Asterisk Search vendor "Asterisk" | Certified Asterisk Search vendor "Asterisk" for product "Certified Asterisk" | 16.8.0 Search vendor "Asterisk" for product "Certified Asterisk" and version "16.8.0" | cert4 |
Affected
| ||||||
| Asterisk Search vendor "Asterisk" | Certified Asterisk Search vendor "Asterisk" for product "Certified Asterisk" | 16.8.0 Search vendor "Asterisk" for product "Certified Asterisk" and version "16.8.0" | cert5 |
Affected
| ||||||
| Asterisk Search vendor "Asterisk" | Certified Asterisk Search vendor "Asterisk" for product "Certified Asterisk" | 16.8.0 Search vendor "Asterisk" for product "Certified Asterisk" and version "16.8.0" | cert6 |
Affected
| ||||||
| Asterisk Search vendor "Asterisk" | Certified Asterisk Search vendor "Asterisk" for product "Certified Asterisk" | 16.8.0 Search vendor "Asterisk" for product "Certified Asterisk" and version "16.8.0" | cert7 |
Affected
| ||||||
| Asterisk Search vendor "Asterisk" | Certified Asterisk Search vendor "Asterisk" for product "Certified Asterisk" | 16.8.0 Search vendor "Asterisk" for product "Certified Asterisk" and version "16.8.0" | cert8 |
Affected
| ||||||
| Asterisk Search vendor "Asterisk" | Certified Asterisk Search vendor "Asterisk" for product "Certified Asterisk" | 16.8.0 Search vendor "Asterisk" for product "Certified Asterisk" and version "16.8.0" | cert9 |
Affected
| ||||||
| Sangoma Search vendor "Sangoma" | Asterisk Search vendor "Sangoma" for product "Asterisk" | >= 16.0.0 < 16.24.1 Search vendor "Sangoma" for product "Asterisk" and version " >= 16.0.0 < 16.24.1" | - |
Affected
| ||||||
| Sangoma Search vendor "Sangoma" | Asterisk Search vendor "Sangoma" for product "Asterisk" | >= 18.0.0 < 18.10.1 Search vendor "Sangoma" for product "Asterisk" and version " >= 18.0.0 < 18.10.1" | - |
Affected
| ||||||
| Sangoma Search vendor "Sangoma" | Asterisk Search vendor "Sangoma" for product "Asterisk" | >= 19.0.0 < 19.2.1 Search vendor "Sangoma" for product "Asterisk" and version " >= 19.0.0 < 19.2.1" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0" | - |
Affected
| ||||||