#VU55295 Uncaught Exception in pjsip
Vulnerability identifier: #VU55295
Vulnerability risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-248
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
pjsip
Universal components / Libraries /
Libraries used by multiple products
Vendor: pjsip
Description
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The
vulnerability exists due to uncaught exception in pjsip when processing TLS handshake. A remote
attacker can initiate TLS connection with the software and then destroy
the socket during handshake, causing the application to crash.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
pjsip: 0.5.0.1 - 2.11
External links
http://github.com/pjsip/pjproject/security/advisories/GHSA-cv8x-p47p-99wr
http://github.com/pjsip/pjproject/pull/2716
http://github.com/pjsip/pjproject/commit/d5f95aa066f878b0aef6a64e60b61e8626e664cd
http://github.com/pjsip/pjproject/releases/tag/2.11.1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
