CVE-2022-39269

EUVD-2022-41776

06.10.2022, 18:16

PJSIP is a free and open source multimedia communication library written in C. When processing certain packets, PJSIP may incorrectly switch from using SRTP media transport to using basic RTP upon SRTP restart, causing the media to be sent insecurely. The vulnerability impacts all PJSIP users that use SRTP. The patch is available as commit d2acb9a in the master branch of the project and will be included in version 2.13. Users are advised to manually patch or to upgrade. There are no known workarounds for this vulnerability.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	9.1 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
GitHub_M	CNA	9.1 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 42%

Affected Products (NVD)

Vendor	Product	Version
pjsip	pjsip	2.11 ≤ 𝑥 < 2.13

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

asterisk

bullseye	1:16.28.0~dfsg-0+deb11u4 not-affected
bullseye (security)	1:16.28.0~dfsg-0+deb11u5 fixed
buster	not-affected
sid	1:22.0.0~dfsg+~cs6.14.60671435-1 fixed

ring

bookworm	20230206.0~ds2-1.1 fixed
bullseye	20210112.2.b757bac~ds1-1 not-affected
bullseye (security)	20210112.2.b757bac~ds1-1+deb11u1 fixed
buster	not-affected
sid	20231201.0~ds1-1 fixed