CVE-2022-24754

HIGH

PJSIP <2.12 - Buffer Overflow

Title source: llm

Description

PJSIP is a free and open source multimedia communication library written in C language. In versions prior to and including 2.12 PJSIP there is a stack-buffer overflow vulnerability which only impacts PJSIP users who accept hashed digest credentials (credentials with data_type `PJSIP_CRED_DATA_DIGEST`). This issue has been patched in the master branch of the PJSIP repository and will be included with the next release. Users unable to upgrade need to check that the hashed digest data length must be equal to `PJSIP_MD5STRLEN` before passing to PJSIP.

References (6)

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html

[Third Party Advisory] https://security.gentoo.org/glsa/202210-37

[Mailing List] https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html

[Mailing List] https://lists.debian.org/debian-lts-announce/2024/09/msg00030.html

[Patch, Third Party Advisory] https://github.com/pjsip/pjproject/commit/d27f79da11df7bc8bb56c2f291d71e54df8d2c47

View Patch ZIP pw:eip

[Patch, Third Party Advisory] https://github.com/pjsip/pjproject/security/advisories/GHSA-73f7-48m9-w662

Scores

CVSS v3 8.5

EPSS 0.0046

EPSS Percentile 64.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-1284 CWE-120

Status published

Products (2)

debian/debian_linux 9.0

teluu/pjsip < 2.12

Published Mar 11, 2022

Tracked Since Feb 18, 2026