CVE-2022-24786

EUVD-2022-29599
PJSIP is a free and open source multimedia communication library written in C. PJSIP versions 2.12 and prior do not parse incoming RTCP feedback RPSI (Reference Picture Selection Indication) packet, but any app that directly uses pjmedia_rtcp_fb_parse_rpsi() will be affected. A patch is available in the `master` branch of the `pjsip/pjproject` GitHub repository. There are currently no known workarounds.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
GitHub_MCNA
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 72%
Affected Products (NVD)
VendorProductVersion
pjsippjsip
𝑥
≤ 2.12
debiandebian_linux
9.0
debiandebian_linux
10.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
asterisk
bullseye
1:16.28.0~dfsg-0+deb11u4
fixed
bullseye (security)
1:16.28.0~dfsg-0+deb11u5
fixed
sid
1:22.0.0~dfsg+~cs6.14.60671435-1
fixed
stretch
not-affected
ring
bookworm
20230206.0~ds2-1.1
fixed
bullseye
unimportant
bullseye (security)
unimportant
sid
20231201.0~ds1-1
fixed
stretch
not-affected
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
pjproject
bionic
needs-triage
trusty
ignored
xenial
needs-triage
ring
bionic
needs-triage
focal
needs-triage
impish
ignored
lunar
ignored
mantic
ignored
noble
dne
trusty
ignored
xenial
ignored
sflphone
trusty
ignored
xenial
ignored
Common Weakness Enumeration
References
https://github.com/pjsip/pjproject/commit/11559e49e65bdf00922ad5ae28913ec6a198d508
https://github.com/pjsip/pjproject/security/advisories/GHSA-vhxv-phmx-g52q
https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html
https://security.gentoo.org/glsa/202210-37
https://www.debian.org/security/2022/dsa-5285
https://github.com/pjsip/pjproject/commit/11559e49e65bdf00922ad5ae28913ec6a198d508
https://github.com/pjsip/pjproject/security/advisories/GHSA-vhxv-phmx-g52q
https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html
https://security.gentoo.org/glsa/202210-37
https://www.debian.org/security/2022/dsa-5285