CVE-2022-24786

PJSIP is a free and open source multimedia communication library written in C. PJSIP versions 2.12 and prior do not parse incoming RTCP feedback RPSI (Reference Picture Selection Indication) packet, but any app that directly uses pjmedia_rtcp_fb_parse_rpsi() will be affected. A patch is available in the `master` branch of the `pjsip/pjproject` GitHub repository. There are currently no known workarounds.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
GitHub_MCNA
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 47%
VendorProductVersion
pjsippjsip
𝑥
≤ 2.12
debiandebian_linux
9.0
debiandebian_linux
10.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
asterisk
bullseye
1:16.28.0~dfsg-0+deb11u4
fixed
stretch
not-affected
bullseye (security)
1:16.28.0~dfsg-0+deb11u5
fixed
sid
1:22.0.0~dfsg+~cs6.14.60671435-1
fixed
ring
bullseye
unimportant
stretch
not-affected
bullseye (security)
unimportant
bookworm
20230206.0~ds2-1.1
fixed
sid
20231201.0~ds1-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
pjproject
bionic
needs-triage
xenial
needs-triage
trusty
ignored
ring
noble
dne
mantic
ignored
lunar
ignored
impish
ignored
focal
needs-triage
bionic
needs-triage
xenial
ignored
trusty
ignored
sflphone
xenial
ignored
trusty
ignored
Common Weakness Enumeration
References
https://github.com/pjsip/pjproject/commit/11559e49e65bdf00922ad5ae28913ec6a198d508
https://github.com/pjsip/pjproject/security/advisories/GHSA-vhxv-phmx-g52q
https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html
https://security.gentoo.org/glsa/202210-37
https://www.debian.org/security/2022/dsa-5285
https://github.com/pjsip/pjproject/commit/11559e49e65bdf00922ad5ae28913ec6a198d508
https://github.com/pjsip/pjproject/security/advisories/GHSA-vhxv-phmx-g52q
https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html
https://security.gentoo.org/glsa/202210-37
https://www.debian.org/security/2022/dsa-5285