CVE-2022-24792

Potential infinite loop when parsing WAV format file in PJSIP

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

PJSIP is a free and open source multimedia communication library written in C. A denial-of-service vulnerability affects applications on a 32-bit systems that use PJSIP versions 2.12 and prior to play/read invalid WAV files. The vulnerability occurs when reading WAV file data chunks with length greater than 31-bit integers. The vulnerability does not affect 64-bit apps and should not affect apps that only plays trusted WAV files. A patch is available on the `master` branch of the `pjsip/project` GitHub repository. As a workaround, apps can reject a WAV file received from an unknown source or validate the file first.

PJSIP es una biblioteca de comunicación multimedia gratuita y de código abierto escrita en C. Una vulnerabilidad de denegación de servicio afecta a las aplicaciones en sistemas de 32 bits que usan PJSIP versiones 2.12 y anteriores para reproducir/leer archivos WAV no válidos. La vulnerabilidad es producida cuando son leídos trozos de datos de archivos WAV con una longitud superior a los enteros de 31 bits. La vulnerabilidad no afecta a aplicaciones de 64 bits y no debería afectar a las aplicaciones que sólo reproducen archivos WAV confiables. Se presenta un parche disponible en la rama "master" del repositorio GitHub "pjsip/project". Como medida de mitigación, las aplicaciones pueden rechazar un archivo WAV recibido de una fuente desconocida o comprobar primero el archivo

Multiple security vulnerabilities have been found in Asterisk, an Open Source Private Branch Exchange. Buffer overflows and other programming errors could be exploited for information disclosure or the execution of arbitrary code.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-02-10 CVE Reserved
2022-04-25 CVE Published
2024-08-03 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')

CAPEC

References (6)

URL	Tag	Source
https://lists.debian.org/debian-lts-announce/2022/05/msg00047.html	Mailing List
https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html	Mailing List

URL	Date	SRC

URL	Date	SRC
https://github.com/pjsip/pjproject/commit/947bc1ee6d05be10204b918df75a503415fd3213	2022-12-06
https://github.com/pjsip/pjproject/security/advisories/GHSA-rwgw-vwxg-q799	2022-12-06

URL	Date	SRC
https://security.gentoo.org/glsa/202210-37	2022-12-06
https://www.debian.org/security/2022/dsa-5285	2022-12-06

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Teluu Search vendor "Teluu"		Pjsip Search vendor "Teluu" for product "Pjsip"				<= 2.12 Search vendor "Teluu" for product "Pjsip" and version " <= 2.12"		x86		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				11.0 Search vendor "Debian" for product "Debian Linux" and version "11.0"		-		Affected