CVE-2022-24786

moderate-risk
Published 2022-04-06

PJSIP is a free and open source multimedia communication library written in C. PJSIP versions 2.12 and prior do not parse incoming RTCP feedback RPSI (Reference Picture Selection Indication) packet, but any app that directly uses pjmedia_rtcp_fb_parse_rpsi() will be affected. A patch is available in the `master` branch of the `pjsip/pjproject` GitHub repository. There are currently no known workarounds.

Do I need to act?

-
0.74% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: 11559e49e65bdf00922ad5ae28913ec6a198d508
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (3)

Pjsip

Affected Vendors

Debian Pjsip

References (10)

Patch https://github.com/pjsip/pjproject/commit/11559e49e65bdf00922ad5ae28913ec6a198d5...
Third Party Advisory https://github.com/pjsip/pjproject/security/advisories/GHSA-vhxv-phmx-g52q
Mailing List https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html
Third Party Advisory https://security.gentoo.org/glsa/202210-37
Third Party Advisory https://www.debian.org/security/2022/dsa-5285
Patch https://github.com/pjsip/pjproject/commit/11559e49e65bdf00922ad5ae28913ec6a198d5...
Third Party Advisory https://github.com/pjsip/pjproject/security/advisories/GHSA-vhxv-phmx-g52q
Mailing List https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html
Third Party Advisory https://security.gentoo.org/glsa/202210-37
Third Party Advisory https://www.debian.org/security/2022/dsa-5285
44
/ 100
moderate-risk
Severity 32/34 · Critical
Exploitability 3/34 · Minimal
Exposure 9/34 · Low