PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In affected versions if the incoming STUN message contains an ERROR-CODE attribute, the header length is not checked before performing a subtraction operation, potentially resulting in an integer underflow scenario. This issue affects all users that use STUN. A malicious actor located within the victim’s network may forge and send a specially crafted UDP (STUN) message that could remotely execute arbitrary code on the victim’s machine. Users are advised to upgrade as soon as possible. There are no known workarounds.
References
Link | Resource |
---|---|
http://packetstormsecurity.com/files/166225/Asterisk-Project-Security-Advisory-AST-2022-004.html | Third Party Advisory VDB Entry |
http://seclists.org/fulldisclosure/2022/Mar/0 | Mailing List Patch Third Party Advisory |
https://github.com/pjsip/pjproject/commit/15663e3f37091069b8c98a7fce680dc04bc8e865 | Patch Third Party Advisory |
https://github.com/pjsip/pjproject/security/advisories/GHSA-2qpg-f6wf-w984 | Patch Third Party Advisory |
https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html | Mailing List Third Party Advisory |
https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html | Mailing List Third Party Advisory |
https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html | |
https://security.gentoo.org/glsa/202210-37 | Third Party Advisory |
https://www.debian.org/security/2022/dsa-5285 | Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: GitHub_M
Published: 2021-12-22T00:00:00
Updated: 2023-08-30T00:06:40.686220
Reserved: 2021-07-29T00:00:00
Link: CVE-2021-37706
JSON object: View
NVD Information
Status : Modified
Published: 2021-12-22T18:15:07.487
Modified: 2023-08-30T01:15:28.083
Link: CVE-2021-37706
JSON object: View
Redhat Information
No data.
CWE