Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2021-37706

Опубликовано: 22 дек. 2021
Источник: nvd
CVSS3: 7.3
CVSS3: 9.8
CVSS2: 9.3
EPSS Низкий

Описание

PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In affected versions if the incoming STUN message contains an ERROR-CODE attribute, the header length is not checked before performing a subtraction operation, potentially resulting in an integer underflow scenario. This issue affects all users that use STUN. A malicious actor located within the victim’s network may forge and send a specially crafted UDP (STUN) message that could remotely execute arbitrary code on the victim’s machine. Users are advised to upgrade as soon as possible. There are no known workarounds.

Ссылки

Уязвимые конфигурации

Конфигурация 1
cpe:2.3:a:teluu:pjsip:*:*:*:*:*:*:*:*
Версия до 2.11.1 (включая)
Конфигурация 2

Одно из

cpe:2.3:a:asterisk:certified_asterisk:*:*:*:*:*:*:*:*
Версия до 16.8.0 (исключая)
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:*:*:*:*:*:*:*
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert1:*:*:*:*:*:*
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert10:*:*:*:*:*:*
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert11:*:*:*:*:*:*
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert12:*:*:*:*:*:*
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert2:*:*:*:*:*:*
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert3:*:*:*:*:*:*
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert4:*:*:*:*:*:*
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert5:*:*:*:*:*:*
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert6:*:*:*:*:*:*
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert7:*:*:*:*:*:*
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert8:*:*:*:*:*:*
cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert9:*:*:*:*:*:*
cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*
Версия от 16.0.0 (включая) до 16.24.1 (исключая)
cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*
Версия от 18.0.0 (включая) до 18.10.1 (исключая)
cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*
Версия от 19.0.0 (включая) до 19.2.1 (исключая)
Конфигурация 3

Одно из

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

EPSS

Процентиль: 47%
0.00244
Низкий

7.3 High

CVSS3

9.8 Critical

CVSS3

9.3 Critical

CVSS2

Дефекты

CWE-191
CWE-191

Связанные уязвимости

ubuntu логотип

CVE-2021-37706

CVSS3: 7.3
ubuntu
около 4 лет назад

PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In affected versions if the incoming STUN message contains an ERROR-CODE attribute, the header length is not checked before performing a subtraction operation, potentially resulting in an integer underflow scenario. This issue affects all users that use STUN. A malicious actor located within the victim’s network may forge and send a specially crafted UDP (STUN) message that could remotely execute arbitrary code on the victim’s machine. Users are advised to upgrade as soon as possible. There are no known workarounds.

debian логотип

CVE-2021-37706

CVSS3: 7.3
debian
около 4 лет назад

PJSIP is a free and open source multimedia communication library writt ...

fstec логотип

BDU:2022-01086

CVSS3: 7.3
fstec
больше 4 лет назад

Уязвимость мультимедийной коммуникационной библиотеки PJSIP, связанная с целочисленной потерей значимости, позволяющая нарушителю выполнить произвольный код

EPSS

Процентиль: 47%
0.00244
Низкий

7.3 High

CVSS3

9.8 Critical

CVSS3

9.3 Critical

CVSS2

Дефекты

CWE-191
CWE-191