CVE-2021-41141 - OpenCVE

Vendors	Products
Debian	Debian Linux
Teluu	Pjsip

Link	Resource
https://github.com/pjsip/pjproject/commit/1aa2c0e0fb60a1b0bf793e0d834073ffe50fb196	Patch Third Party Advisory
https://github.com/pjsip/pjproject/security/advisories/GHSA-8fmx-hqw7-6gmc	Patch Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html	Mailing List Third Party Advisory
https://security.gentoo.org/glsa/202210-37	Third Party Advisory

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2021-41141", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "dateUpdated": "2022-10-31T00:00:00", "dateReserved": "2021-09-15T00:00:00", "datePublished": "2022-01-04T00:00:00"}, "containers": {"cna": {"title": "Missing release of locks in PJSIP", "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-10-31T00:00:00"}, "descriptions": [{"lang": "en", "value": "PJSIP is a free and open source multimedia communication library written in the C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In various parts of PJSIP, when error/failure occurs, it is found that the function returns without releasing the currently held locks. This could result in a system deadlock, which cause a denial of service for the users. No release has yet been made which contains the linked fix commit. All versions up to an including 2.11.1 are affected. Users may need to manually apply the patch."}], "affected": [{"vendor": "pjsip", "product": "pjproject", "versions": [{"version": "<= 2.11.1", "status": "affected"}]}], "references": [{"url": "https://github.com/pjsip/pjproject/security/advisories/GHSA-8fmx-hqw7-6gmc"}, {"url": "https://github.com/pjsip/pjproject/commit/1aa2c0e0fb60a1b0bf793e0d834073ffe50fb196"}, {"name": "[debian-lts-announce] 20220328 [SECURITY] [DLA 2962-1] pjproject security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html"}, {"name": "GLSA-202210-37", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202210-37"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-667: Improper Locking", "cweId": "CWE-667"}]}], "source": {"advisory": "GHSA-8fmx-hqw7-6gmc", "discovery": "UNKNOWN"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:teluu:pjsip:*:*:*:*:*:*:*:*", "matchCriteriaId": "6BB0273A-3235-4BC7-A1BE-7D35BABD8617", "versionEndIncluding": "2.11.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "PJSIP is a free and open source multimedia communication library written in the C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In various parts of PJSIP, when error/failure occurs, it is found that the function returns without releasing the currently held locks. This could result in a system deadlock, which cause a denial of service for the users. No release has yet been made which contains the linked fix commit. All versions up to an including 2.11.1 are affected. Users may need to manually apply the patch."}, {"lang": "es", "value": "PJSIP es una biblioteca de comunicaci\u00f3n multimedia gratuita y de c\u00f3digo abierto escrita en lenguaje C que implementa protocolos basados en est\u00e1ndares como SIP, SDP, RTP, STUN, TURN e ICE. En varias partes de PJSIP, cuando es producido un error/fallo, es encontrado que la funci\u00f3n retorna sin liberar los bloqueos que se presentan actualmente. Esto podr\u00eda resultar en un bloqueo del sistema, que causar\u00eda una denegaci\u00f3n de servicio para los usuarios. Todav\u00eda no ha sido realizado ninguna publicaci\u00f3n que contenga el commit de correcci\u00f3n vinculado. Todas las versiones hasta la 2.11.1 incluy\u00e9ndola est\u00e1n afectadas. Es posible que los usuarios tengan que aplicar el parche manualmente"}], "id": "CVE-2021-41141", "lastModified": "2022-11-16T19:07:09.427", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.8, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-01-04T19:15:14.687", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/pjsip/pjproject/commit/1aa2c0e0fb60a1b0bf793e0d834073ffe50fb196"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/pjsip/pjproject/security/advisories/GHSA-8fmx-hqw7-6gmc"}, {"source": "security-advisories@github.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202210-37"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-667"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-667"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Complete

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Complete

JSON object

JSON object

JSON object