Skip to main content

Pjsip CVE-2021-43804

HIGH
Out-of-bounds Read (CWE-125)
2021-12-22 security-advisories@github.com
7.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
CVE Published
Dec 22, 2021 - 18:15 nvd
HIGH 7.3

DescriptionNVD

PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In affected versions if the incoming RTCP BYE message contains a reason's length, this declared length is not checked against the actual received packet size, potentially resulting in an out-of-bound read access. This issue affects all users that use PJMEDIA and RTCP. A malicious actor can send a RTCP BYE message with an invalid reason length. Users are advised to upgrade as soon as possible. There are no known workarounds.

AnalysisAI

PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Out-of-bounds Read vulnerability could allow attackers to read data from memory outside the intended buffer boundaries.

Technical ContextAI

This vulnerability is classified as Out-of-bounds Read (CWE-125), which allows attackers to read data from memory outside the intended buffer boundaries. PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In affected versions if the incoming RTCP BYE message contains a reason's length, this declared length is not checked against the actual received packet size, potentially resulting in an out-of-bound read access. A malicious actor can send a RTCP BYE message with an invalid reason length. Users are advised to upgrade as soon as possible. There are no known workarounds. Affected products include: Teluu Pjsip, Debian Debian Linux.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Validate array indices and buffer lengths. Use memory-safe languages. Enable AddressSanitizer during testing.

More in Pjsip

View all
CVE-2021-43845 CRITICAL POC
9.1 Dec 27

PJSIP is a free and open source multimedia communication library. Rated critical severity (CVSS 9.1), this vulnerability

CVE-2021-21375 MEDIUM POC
6.5 Mar 10

PJSIP is a free and open source multimedia communication library written in C language implementing standard based proto

CVE-2017-16872 CRITICAL
9.8 Nov 17

An issue was discovered in Teluu pjproject (pjlib and pjlib-util) in PJSIP before 2.7.1. Rated critical severity (CVSS 9

CVE-2026-25994 CRITICAL POC
9.8 Feb 11

Buffer overflow in PJSIP multimedia library version 2.16 and earlier in PJNATH ICE implementation. Patch available. Affe

CVE-2026-32945 CRITICAL
9.8 Mar 20

Heap overflow in PJSIP 2.16 and earlier DNS parser allows unauthenticated remote attackers to achieve code execution wit

CVE-2023-38703 CRITICAL
9.8 Oct 06

PJSIP is a free and open source multimedia communication library written in C with high level API in C, C++, Java, C#, a

CVE-2022-23547 CRITICAL
9.8 Dec 23

PJSIP is a free and open source multimedia communication library written in C language implementing standard based proto

CVE-2022-23537 CRITICAL
9.8 Dec 20

PJSIP is a free and open source multimedia communication library written in C language implementing standard based proto

CVE-2022-39244 CRITICAL
9.8 Oct 06

PJSIP is a free and open source multimedia communication library written in C. Rated critical severity (CVSS 9.8), this

CVE-2022-31031 CRITICAL
9.8 Jun 09

PJSIP is a free and open source multimedia communication library written in C language implementing standard based proto

CVE-2022-24786 CRITICAL
9.8 Apr 06

PJSIP is a free and open source multimedia communication library written in C. Rated critical severity (CVSS 9.8), this

CVE-2022-24754 CRITICAL
9.8 Mar 11

PJSIP is a free and open source multimedia communication library written in C language. Rated critical severity (CVSS 9.

Share

CVE-2021-43804 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy