CVE-2022-24754

moderate-risk
Published 2022-03-11

PJSIP is a free and open source multimedia communication library written in C language. In versions prior to and including 2.12 PJSIP there is a stack-buffer overflow vulnerability which only impacts PJSIP users who accept hashed digest credentials (credentials with data_type `PJSIP_CRED_DATA_DIGEST`). This issue has been patched in the master branch of the PJSIP repository and will be included with the next release. Users unable to upgrade need to check that the hashed digest data length must be equal to `PJSIP_MD5STRLEN` before passing to PJSIP.

Do I need to act?

-
0.47% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.5/10 High
NETWORK / HIGH complexity

Affected Products (2)

Affected Vendors

Debian Teluu

References (11)

Patch https://github.com/pjsip/pjproject/commit/d27f79da11df7bc8bb56c2f291d71e54df8d2c...
Patch https://github.com/pjsip/pjproject/security/advisories/GHSA-73f7-48m9-w662
Mailing List https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html
https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html
Third Party Advisory https://security.gentoo.org/glsa/202210-37
Patch https://github.com/pjsip/pjproject/commit/d27f79da11df7bc8bb56c2f291d71e54df8d2c...
Patch https://github.com/pjsip/pjproject/security/advisories/GHSA-73f7-48m9-w662
Mailing List https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html
https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html
https://lists.debian.org/debian-lts-announce/2024/09/msg00030.html
Third Party Advisory https://security.gentoo.org/glsa/202210-37
34
/ 100
moderate-risk
Severity 25/34 · High
Exploitability 2/34 · Minimal
Exposure 7/34 · Low