CVE-2022-24793

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2022-24793
PJSIP is a free and open source multimedia communication library written in C. A buffer overflow vulnerability in versions 2.12 and prior affects applications that use PJSIP DNS resolution. It doesn't affect PJSIP users who utilize an external resolver. This vulnerability is related to CVE-2023-27585. The difference is that this issue is in parsing the query record `parse_rr()`, while the issue in CVE-2023-27585 is in `parse_query()`. A patch is available in the `master` branch of the `pjsip/pjproject` GitHub repository. A workaround is to disable DNS resolution in PJSIP config (by setting `nameserver_count` to zero) or use an external resolver instead.

7.5 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

4.3 /10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:N/I:N/A:P

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

References
Link Resource
https://github.com/pjsip/pjproject/commit/9fae8f43accef8ea65d4a8ae9cdf297c46cfe29a Patch Third Party Advisory
https://github.com/pjsip/pjproject/security/advisories/GHSA-p6g5-v97c-w5q4 Patch Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/05/msg00047.html Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html
https://security.gentoo.org/glsa/202210-37 Third Party Advisory
https://www.debian.org/security/2022/dsa-5285 Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:pjsip:pjsip:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
History

20 Mar 2023, 17:15

Type Values Removed Values Added
CPE cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Summary PJSIP is a free and open source multimedia communication library written in C. A buffer overflow vulnerability in versions 2.12 and prior affects applications that uses PJSIP DNS resolution. It doesn't affect PJSIP users who utilize an external resolver. A patch is available in the `master` branch of the `pjsip/pjproject` GitHub repository. A workaround is to disable DNS resolution in PJSIP config (by setting `nameserver_count` to zero) or use an external resolver instead. PJSIP is a free and open source multimedia communication library written in C. A buffer overflow vulnerability in versions 2.12 and prior affects applications that use PJSIP DNS resolution. It doesn't affect PJSIP users who utilize an external resolver. This vulnerability is related to CVE-2023-27585. The difference is that this issue is in parsing the query record `parse_rr()`, while the issue in CVE-2023-27585 is in `parse_query()`. A patch is available in the `master` branch of the `pjsip/pjproject` GitHub repository. A workaround is to disable DNS resolution in PJSIP config (by setting `nameserver_count` to zero) or use an external resolver instead.
References (GENTOO) https://security.gentoo.org/glsa/202210-37 - (GENTOO) https://security.gentoo.org/glsa/202210-37 - Third Party Advisory
References (DEBIAN) https://www.debian.org/security/2022/dsa-5285 - (DEBIAN) https://www.debian.org/security/2022/dsa-5285 - Third Party Advisory
References (MLIST) https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html - (MLIST) https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html - Mailing List, Third Party Advisory

18 Nov 2022, 16:15

Type Values Removed Values Added
References
  • (DEBIAN) https://www.debian.org/security/2022/dsa-5285 -
  • (MLIST) https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html -

31 Oct 2022, 22:15

Type Values Removed Values Added
References
  • (GENTOO) https://security.gentoo.org/glsa/202210-37 -

14 Oct 2022, 11:33

Type Values Removed Values Added
References (MLIST) https://lists.debian.org/debian-lts-announce/2022/05/msg00047.html - (MLIST) https://lists.debian.org/debian-lts-announce/2022/05/msg00047.html - Mailing List, Third Party Advisory
CPE cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

02 Jun 2022, 14:15

Type Values Removed Values Added
References
  • (MLIST) https://lists.debian.org/debian-lts-announce/2022/05/msg00047.html -

14 Apr 2022, 17:48

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : 4.3
v3 : 7.5
CWE CWE-120
References (CONFIRM) https://github.com/pjsip/pjproject/security/advisories/GHSA-p6g5-v97c-w5q4 - (CONFIRM) https://github.com/pjsip/pjproject/security/advisories/GHSA-p6g5-v97c-w5q4 - Patch, Third Party Advisory
References (MISC) https://github.com/pjsip/pjproject/commit/9fae8f43accef8ea65d4a8ae9cdf297c46cfe29a - (MISC) https://github.com/pjsip/pjproject/commit/9fae8f43accef8ea65d4a8ae9cdf297c46cfe29a - Patch, Third Party Advisory
CPE cpe:2.3:a:pjsip:pjsip:*:*:*:*:*:*:*:*

06 Apr 2022, 14:15

Type Values Removed Values Added
New CVE
Information

Published : 2022-04-06 14:15

Updated : 2024-02-04 22:29

NVD link : CVE-2022-24793

Mitre link : CVE-2022-24793

CVE.ORG link : CVE-2022-24793

JSON object : View

Products Affected

debian

  • debian_linux

pjsip

  • pjsip
CWE
CWE-120

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')