PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In affected versions if the incoming STUN message contains an ERROR-CODE attribute, the header length is not checked before performing a subtraction operation, potentially resulting in an integer underflow scenario. This issue affects all users that use STUN. A malicious actor located within the victim’s network may forge and send a specially crafted UDP (STUN) message that could remotely execute arbitrary code on the victim’s machine. Users are advised to upgrade as soon as possible. There are no known workarounds.
References
Link | Resource |
---|---|
http://packetstormsecurity.com/files/166225/Asterisk-Project-Security-Advisory-AST-2022-004.html | Third Party Advisory VDB Entry |
http://seclists.org/fulldisclosure/2022/Mar/0 | Mailing List Patch Third Party Advisory |
https://github.com/pjsip/pjproject/commit/15663e3f37091069b8c98a7fce680dc04bc8e865 | Patch Third Party Advisory |
https://github.com/pjsip/pjproject/security/advisories/GHSA-2qpg-f6wf-w984 | Patch Third Party Advisory |
https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html | Mailing List Third Party Advisory |
https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html | Mailing List Third Party Advisory |
https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html | |
https://security.gentoo.org/glsa/202210-37 | Third Party Advisory |
https://www.debian.org/security/2022/dsa-5285 | Third Party Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
History
30 Aug 2023, 01:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
02 Feb 2023, 18:08
Type | Values Removed | Values Added |
---|---|---|
References | (MLIST) https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html - Mailing List, Third Party Advisory | |
References | (DEBIAN) https://www.debian.org/security/2022/dsa-5285 - Third Party Advisory | |
CPE | cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* |
18 Nov 2022, 16:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
17 Nov 2022, 14:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
16 Nov 2022, 19:03
Type | Values Removed | Values Added |
---|---|---|
References | (GENTOO) https://security.gentoo.org/glsa/202210-37 - Third Party Advisory | |
References | (MISC) http://packetstormsecurity.com/files/166225/Asterisk-Project-Security-Advisory-AST-2022-004.html - Third Party Advisory, VDB Entry | |
References | (MLIST) https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html - Mailing List, Third Party Advisory |
31 Oct 2022, 22:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
25 Apr 2022, 15:22
Type | Values Removed | Values Added |
---|---|---|
First Time |
Asterisk
Asterisk certified Asterisk Debian debian Linux Sangoma asterisk Debian Sangoma |
|
References | (MISC) http://packetstormsecurity.com/files/166225/Asterisk-Project-Security-Advisory-AST-2022-004.html - Third Party Advisory | |
References | (MLIST) https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html - Third Party Advisory | |
References | (FULLDISC) http://seclists.org/fulldisclosure/2022/Mar/0 - Mailing List, Patch, Third Party Advisory | |
CPE | cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert4:*:*:*:*:*:* cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert12:*:*:*:*:*:* cpe:2.3:a:asterisk:certified_asterisk:*:*:*:*:*:*:*:* cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert5:*:*:*:*:*:* cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert8:*:*:*:*:*:* cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert11:*:*:*:*:*:* cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert2:*:*:*:*:*:* cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert6:*:*:*:*:*:* cpe:2.3:a:asterisk:certified_asterisk:16.8.0:*:*:*:*:*:*:* cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert9:*:*:*:*:*:* cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert3:*:*:*:*:*:* cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert1:*:*:*:*:*:* cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert10:*:*:*:*:*:* cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert7:*:*:*:*:*:* cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:* |
28 Mar 2022, 17:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
10 Mar 2022, 17:42
Type | Values Removed | Values Added |
---|---|---|
References |
|
04 Mar 2022, 22:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
03 Jan 2022, 23:20
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:teluu:pjsip:*:*:*:*:*:*:*:* | |
CVSS |
v2 : v3 : |
v2 : 9.3
v3 : 9.8 |
First Time |
Teluu pjsip
Teluu |
|
References | (CONFIRM) https://github.com/pjsip/pjproject/security/advisories/GHSA-2qpg-f6wf-w984 - Patch, Third Party Advisory | |
References | (MISC) https://github.com/pjsip/pjproject/commit/15663e3f37091069b8c98a7fce680dc04bc8e865 - Patch, Third Party Advisory |
22 Dec 2021, 18:28
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2021-12-22 18:15
Updated : 2023-12-10 14:09
NVD link : CVE-2021-37706
Mitre link : CVE-2021-37706
CVE.ORG link : CVE-2021-37706
JSON object : View
Products Affected
teluu
- pjsip
debian
- debian_linux
asterisk
- certified_asterisk
sangoma
- asterisk
CWE
CWE-191
Integer Underflow (Wrap or Wraparound)