CVE-2022-24763 - OpenCVE

PJSIP is a free and open source multimedia communication library written in the C language. Versions 2.12 and prior contain a denial-of-service vulnerability that affects PJSIP users that consume PJSIP's XML parsing in their apps. Users are advised to update. There are no known workarounds.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:N/C:N/I:N/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Pjsip	Pjsip
Debian	Debian Linux

Configuration 1 [-]

cpe:2.3:a:pjsip:pjsip:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:o:debian:debian_linux:9.0:::::::*
	cpe:2.3:o:debian:debian_linux:10.0:::::::*
	cpe:2.3:o:debian:debian_linux:11.0:::::::*

References

Link	Resource
https://github.com/pjsip/pjproject/commit/856f87c2e97a27b256482dbe0d748b1194355a21	Patch Third Party Advisory
https://github.com/pjsip/pjproject/security/advisories/GHSA-5x45-qp78-g4p4	Patch Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/05/msg00047.html	Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html	Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html	Mailing List Third Party Advisory
https://security.gentoo.org/glsa/202210-37	Third Party Advisory
https://www.debian.org/security/2022/dsa-5285	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-03-30T00:00:00

Updated: 2023-08-30T00:06:45.701057

Reserved: 2022-02-10T00:00:00

Link: CVE-2022-24763

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-03-30T21:15:07.927

Modified: 2024-01-25T21:31:46.403

Link: CVE-2022-24763

JSON object: View

Redhat Information

No data.

CWE

CWE-835

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-24763", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "dateUpdated": "2023-08-30T00:06:45.701057", "dateReserved": "2022-02-10T00:00:00", "datePublished": "2022-03-30T00:00:00"}, "containers": {"cna": {"title": "Infinite Loop in PJSIP", "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-08-30T00:06:45.701057"}, "descriptions": [{"lang": "en", "value": "PJSIP is a free and open source multimedia communication library written in the C language. Versions 2.12 and prior contain a denial-of-service vulnerability that affects PJSIP users that consume PJSIP's XML parsing in their apps. Users are advised to update. There are no known workarounds."}], "affected": [{"vendor": "pjsip", "product": "pjproject", "versions": [{"version": "<= 2.12", "status": "affected"}]}], "references": [{"url": "https://github.com/pjsip/pjproject/security/advisories/GHSA-5x45-qp78-g4p4"}, {"url": "https://github.com/pjsip/pjproject/commit/856f87c2e97a27b256482dbe0d748b1194355a21"}, {"name": "[debian-lts-announce] 20220531 [SECURITY] [DLA 3036-1] pjproject security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00047.html"}, {"name": "GLSA-202210-37", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202210-37"}, {"name": "[debian-lts-announce] 20221117 [SECURITY] [DLA 3194-1] asterisk security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html"}, {"name": "DSA-5285", "tags": ["vendor-advisory"], "url": "https://www.debian.org/security/2022/dsa-5285"}, {"name": "[debian-lts-announce] 20230829 [SECURITY] [DLA 3549-1] ring security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')", "cweId": "CWE-835"}]}], "source": {"advisory": "GHSA-5x45-qp78-g4p4", "discovery": "UNKNOWN"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pjsip:pjsip:*:*:*:*:*:*:*:*", "matchCriteriaId": "717BC63D-2EB7-49DF-93AE-540C8EC4FF96", "versionEndIncluding": "2.12", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "PJSIP is a free and open source multimedia communication library written in the C language. Versions 2.12 and prior contain a denial-of-service vulnerability that affects PJSIP users that consume PJSIP's XML parsing in their apps. Users are advised to update. There are no known workarounds."}, {"lang": "es", "value": "PJSIP es una biblioteca de comunicaci\u00f3n multimedia gratuita y de c\u00f3digo abierto escrita en lenguaje C. Las versiones 2.12 y anteriores contienen una vulnerabilidad de denegaci\u00f3n de servicio que afecta a usuarios de PJSIP que consumen el an\u00e1lisis XML de PJSIP en sus aplicaciones. Es recomendado a usuarios actualizar. No se presentan medidas de mitigaci\u00f3n conocidas"}], "id": "CVE-2022-24763", "lastModified": "2024-01-25T21:31:46.403", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-03-30T21:15:07.927", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/pjsip/pjproject/commit/856f87c2e97a27b256482dbe0d748b1194355a21"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/pjsip/pjproject/security/advisories/GHSA-5x45-qp78-g4p4"}, {"source": "security-advisories@github.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00047.html"}, {"source": "security-advisories@github.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html"}, {"source": "security-advisories@github.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202210-37"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2022/dsa-5285"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-835"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-835"}], "source": "nvd@nist.gov", "type": "Secondary"}]}