PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In affected versions if the incoming STUN message contains an ERROR-CODE attribute, the header length is not checked before performing a subtraction operation, potentially resulting in an integer underflow scenario. This issue affects all users that use STUN. A malicious actor located within the victim’s network may forge and send a specially crafted UDP (STUN) message that could remotely execute arbitrary code on the victim’s machine. Users are advised to upgrade as soon as possible. There are no known workarounds.
{
"unresolved_ranges": [
{
"vendor_product": "asterisk:certified_asterisk",
"cpes": [
"cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert10:*:*:*:*:*:*",
"cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert11:*:*:*:*:*:*",
"cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert12:*:*:*:*:*:*",
"cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert1:*:*:*:*:*:*",
"cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert2:*:*:*:*:*:*",
"cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert3:*:*:*:*:*:*",
"cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert4:*:*:*:*:*:*",
"cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert5:*:*:*:*:*:*",
"cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert6:*:*:*:*:*:*",
"cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert7:*:*:*:*:*:*",
"cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert8:*:*:*:*:*:*",
"cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert9:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "16.8.0-cert1"
},
{
"last_affected": "16.8.0-cert1"
},
{
"introduced": "16.8.0-cert10"
},
{
"last_affected": "16.8.0-cert10"
},
{
"introduced": "16.8.0-cert11"
},
{
"last_affected": "16.8.0-cert11"
},
{
"introduced": "16.8.0-cert12"
},
{
"last_affected": "16.8.0-cert12"
},
{
"introduced": "16.8.0-cert2"
},
{
"last_affected": "16.8.0-cert2"
},
{
"introduced": "16.8.0-cert3"
},
{
"last_affected": "16.8.0-cert3"
},
{
"introduced": "16.8.0-cert4"
},
{
"last_affected": "16.8.0-cert4"
},
{
"introduced": "16.8.0-cert5"
},
{
"last_affected": "16.8.0-cert5"
},
{
"introduced": "16.8.0-cert6"
},
{
"last_affected": "16.8.0-cert6"
},
{
"introduced": "16.8.0-cert7"
},
{
"last_affected": "16.8.0-cert7"
},
{
"introduced": "16.8.0-cert8"
},
{
"last_affected": "16.8.0-cert8"
},
{
"introduced": "16.8.0-cert9"
},
{
"last_affected": "16.8.0-cert9"
}
],
"source": "CPE_STRING"
},
{
"vendor_product": "debian:debian_linux",
"cpes": [
"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "9.0"
},
{
"last_affected": "9.0"
},
{
"introduced": "10.0"
},
{
"last_affected": "10.0"
}
],
"source": "CPE_STRING"
}
]
}{
"cpe": [
"cpe:2.3:a:asterisk:certified_asterisk:*:*:*:*:*:*:*:*",
"cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*",
"cpe:2.3:a:asterisk:certified_asterisk:16.8.0:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "16.8.0"
},
{
"introduced": "16.0.0"
},
{
"fixed": "16.24.1"
},
{
"introduced": "18.0.0"
},
{
"fixed": "18.10.1"
},
{
"introduced": "19.0.0"
},
{
"fixed": "19.2.1"
},
{
"introduced": "16.8.0"
},
{
"last_affected": "16.8.0"
}
],
"source": [
"CPE_RANGE",
"CPE_STRING"
]
}{
"cpe": "cpe:2.3:a:teluu:pjsip:*:*:*:*:*:*:*:*",
"extracted_events": [
{
"introduced": "0"
},
{
"last_affected": "2.11.1"
}
],
"source": [
"CPE_RANGE",
"REFERENCES"
]
}