CVE-2022-24793
Potential heap buffer overflow when parsing DNS packets in PJSIP
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
PJSIP is a free and open source multimedia communication library written in C. A buffer overflow vulnerability in versions 2.12 and prior affects applications that use PJSIP DNS resolution. It doesn't affect PJSIP users who utilize an external resolver. This vulnerability is related to CVE-2023-27585. The difference is that this issue is in parsing the query record `parse_rr()`, while the issue in CVE-2023-27585 is in `parse_query()`. A patch is available in the `master` branch of the `pjsip/pjproject` GitHub repository. A workaround is to disable DNS resolution in PJSIP config (by setting `nameserver_count` to zero) or use an external resolver instead.
PJSIP es una biblioteca de comunicación multimedia gratuita y de código abierto escrita en C. Una vulnerabilidad de desbordamiento de búfer en versiones 2.12 y anteriores afecta a las aplicaciones que usan la resolución de DNS de PJSIP. No afecta a usuarios de PJSIP que usan una resolución externa. Se presenta un parche disponible en la rama "master" del repositorio GitHub "pjsip/pjproject". Una mitigación es deshabilitar la resolución de DNS en la configuración de PJSIP (estableciendo "nameserver_count" a cero) o usar una resolución externa en su lugar
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-02-10 CVE Reserved
- 2022-04-06 CVE Published
- 2024-08-03 CVE Updated
- 2024-11-10 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CAPEC
References (7)
URL | Tag | Source |
---|---|---|
https://lists.debian.org/debian-lts-announce/2022/05/msg00047.html | Mailing List | |
https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html | Mailing List | |
https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html | Mailing List |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://github.com/pjsip/pjproject/commit/9fae8f43accef8ea65d4a8ae9cdf297c46cfe29a | 2023-08-30 | |
https://github.com/pjsip/pjproject/security/advisories/GHSA-p6g5-v97c-w5q4 | 2023-08-30 |
URL | Date | SRC |
---|---|---|
https://security.gentoo.org/glsa/202210-37 | 2023-08-30 | |
https://www.debian.org/security/2022/dsa-5285 | 2023-08-30 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Pjsip Search vendor "Pjsip" | Pjsip Search vendor "Pjsip" for product "Pjsip" | <= 2.12 Search vendor "Pjsip" for product "Pjsip" and version " <= 2.12" | - |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0" | - |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 11.0 Search vendor "Debian" for product "Debian Linux" and version "11.0" | - |
Affected
|