Use-after-free in pjsip

#VU60862 Use-after-free in pjsip

Published: 2022-02-24 | Updated: 2022-03-06

Vulnerability identifier: #VU60862

Vulnerability risk: High

CVSSv3.1:

CVE-ID: CVE-2022-23608

CWE-ID: CWE-416

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
pjsip
Universal components / Libraries / Libraries used by multiple products

Vendor: pjsip

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in dialog set. A remote attacker can send a specially crafted request to cause a dialog set to be registered in the hash table multiple times and results in an endless loop condition.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

pjsip: 0.5.0.1 - 2.11.1

CPE

cpe:2.3:a:pjsip:pjsip:2.11.1:*:*:*:*:*:*:*

External links
http://github.com/pjsip/pjproject/security/advisories/GHSA-ffff-m5fm-qm62
http://github.com/pjsip/pjproject/commit/db3235953baa56d2fb0e276ca510fefca751643f

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

Latest bulletins with this vulnerability

Gentoo update for PJSIP

Debian update for asterisk

Asterisk update for pjsip

Multiple vulnerabilities in PJSIP