Out-of-bounds Read in Pjsip Pjproject
CVE-2021-43845
PJSIP is a free and open source multimedia communication library. In version 2.11.1 and prior, if incoming RTCP XR message contain block, the data field is not checked against the received packet size, potentially resulting in an out-of-bo…
Vulnerability class: Buffer Overflow
EPSS: 0.003 (52.3th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 8.2 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L.
Affected products
- Pjsip Pjproject — versions <= 2.11.1
Weakness classification (CWE)
Public proof-of-concept exploits
References
- github.com/pjsip/pjproject/security/advisories/GHSA-r374-qrwv-86hh
- github.com/pjsip/pjproject/pull/2924
- github.com/pjsip/pjproject/commit/f74c1fc22b760d2a24369aa72c74c4a9ab985859
- [debian-lts-announce] 20220328 [SECURITY] [DLA 2962-1] pjproject security update (mailing-list)
- GLSA-202210-37 (vendor-advisory)
- [debian-lts-announce] 20221117 [SECURITY] [DLA 3194-1] asterisk security update (mailing-list)
- DSA-5285 (vendor-advisory)
- [debian-lts-announce] 20230829 [SECURITY] [DLA 3549-1] ring security update (mailing-list)
Frequently asked questions
- What is CVE-2021-43845?
- CVE-2021-43845 is a high-severity vulnerability in Pjsip Pjproject, classified under Out-of-bounds Read. CVSS score: 8.2/10. Published 2021-12-27.
- How severe is CVE-2021-43845?
- High severity. CVSS v3 base score is 8.2 out of 10.
- Is CVE-2021-43845 known to be exploited?
- 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.