TROYANOSYVIRUS
Retour aux CVEs

CVE-2021-37706

HIGH
7.3

Description

PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In affected versions if the incoming STUN message contains an ERROR-CODE attribute, the header length is not checked before performing a subtraction operation, potentially resulting in an integer underflow scenario. This issue affects all users that use STUN. A malicious actor located within the victim’s network may forge and send a specially crafted UDP (STUN) message that could remotely execute arbitrary code on the victim’s machine. Users are advised to upgrade as soon as possible. There are no known workarounds.

Details CVE

Score CVSS v3.17.3
SeveriteHIGH
Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Vecteur d'attaqueNETWORK
ComplexiteLOW
Privileges requisNONE
Interaction utilisateurNONE
Publie12/22/2021
Derniere modification11/4/2025
Sourcenvd
Observations honeypot0

Produits affectes

asterisk:certified_asteriskdebian:debian_linuxsangoma:asteriskteluu:pjsip

Faiblesses (CWE)

CWE-191CWE-191

References

http://packetstormsecurity.com/files/166225/Asterisk-Project-Security-Advisory-AST-2022-004.html(security-advisories@github.com)
http://seclists.org/fulldisclosure/2022/Mar/0(security-advisories@github.com)
https://github.com/pjsip/pjproject/commit/15663e3f37091069b8c98a7fce680dc04bc8e865(security-advisories@github.com)
https://github.com/pjsip/pjproject/security/advisories/GHSA-2qpg-f6wf-w984(security-advisories@github.com)
https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html(security-advisories@github.com)
https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html(security-advisories@github.com)
https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html(security-advisories@github.com)
https://security.gentoo.org/glsa/202210-37(security-advisories@github.com)
https://www.debian.org/security/2022/dsa-5285(security-advisories@github.com)
http://packetstormsecurity.com/files/166225/Asterisk-Project-Security-Advisory-AST-2022-004.html(af854a3a-2127-422b-91ae-364da2661108)
http://seclists.org/fulldisclosure/2022/Mar/0(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/pjsip/pjproject/commit/15663e3f37091069b8c98a7fce680dc04bc8e865(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/pjsip/pjproject/security/advisories/GHSA-2qpg-f6wf-w984(af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html(af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html(af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html(af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2024/09/msg00030.html(af854a3a-2127-422b-91ae-364da2661108)
https://security.gentoo.org/glsa/202210-37(af854a3a-2127-422b-91ae-364da2661108)
https://www.debian.org/security/2022/dsa-5285(af854a3a-2127-422b-91ae-364da2661108)

Correlations IOC

Aucune correlation enregistree

This product uses data from the NVD API but is not endorsed or certified by the NVD.