CVE-2022-31031
moderate-risk
Published 2022-06-09
PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In versions prior to and including 2.12.1 a stack buffer overflow vulnerability affects PJSIP users that use STUN in their applications, either by: setting a STUN server in their account/media config in PJSUA/PJSUA2 level, or directly using `pjlib-util/stun_simple` API. A patch is available in commit 450baca which should be included in the next release. There are no known workarounds for this issue.
Do I need to act?
-
0.72% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10
Critical
NETWORK
/ LOW complexity
Affected Products (3)
References (13)
Third Party Advisory
https://security.gentoo.org/glsa/202210-37
Third Party Advisory
https://www.debian.org/security/2023/dsa-5358
Third Party Advisory
https://security.gentoo.org/glsa/202210-37
Third Party Advisory
https://www.debian.org/security/2023/dsa-5358
43
/ 100
moderate-risk
Severity
32/34 · Critical
Exploitability
2/34 · Minimal
Exposure
9/34 · Low