CVE-2022-23608
moderate-risk
Published 2022-02-22
PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In versions up to and including 2.11.1 when in a dialog set (or forking) scenario, a hash key shared by multiple UAC dialogs can potentially be prematurely freed when one of the dialogs is destroyed . The issue may cause a dialog set to be registered in the hash table multiple times (with different hash keys) leading to undefined behavior such as dialog list collision which eventually leading to endless loop. A patch is available in commit db3235953baa56d2fb0e276ca510fefca751643f which will be included in the next release. There are no known workarounds for this issue.
Do I need to act?
-
0.78% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.1/10
High
NETWORK
/ HIGH complexity
Affected Products (17)
Certified Asterisk
Certified Asterisk
Certified Asterisk
Certified Asterisk
Certified Asterisk
Certified Asterisk
Certified Asterisk
Certified Asterisk
Certified Asterisk
Certified Asterisk
Certified Asterisk
Certified Asterisk
Certified Asterisk
References (21)
Third Party Advisory
http://packetstormsecurity.com/files/166226/Asterisk-Project-Security-Advisory-A...
Mailing List
http://seclists.org/fulldisclosure/2022/Mar/1
Third Party Advisory
https://security.gentoo.org/glsa/202210-37
Third Party Advisory
https://www.debian.org/security/2022/dsa-5285
Third Party Advisory
http://packetstormsecurity.com/files/166226/Asterisk-Project-Security-Advisory-A...
Mailing List
http://seclists.org/fulldisclosure/2022/Mar/1
Third Party Advisory
https://security.gentoo.org/glsa/202210-37
and 1 more references
46
/ 100
moderate-risk
Severity
24/34 · High
Exploitability
3/34 · Minimal
Exposure
19/34 · Moderate