CVE-2022-23547

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-23547
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-23547.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-23547
Downstream
Related
  • GHSA-9pfh-r8x4-w26w
  • GHSA-cxwq-5g9x-x7fr
Published
2022-12-23T14:00:22Z
Modified
2025-11-06T01:13:18.278860Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H CVSS Calculator
Summary
Heap buffer overflow in pjproject when decoding STUN message
Details

PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. This issue is similar to GHSA-9pfh-r8x4-w26w. Possible buffer overread when parsing a certain STUN message. The vulnerability affects applications that uses STUN including PJNATH and PJSUA-LIB. The patch is available as commit in the master branch.

Database specific 
{
    "cwe_ids": [
        "CWE-122"
    ]
}
References

Affected packages

Git / github.com/pjsip/pjproject

Affected ranges

Type
GIT
Repo
https://github.com/pjsip/pjproject
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
bc4812d31a67d5e2f973fbfaf950d6118226cf36

Affected versions

2.*

2.10
2.11
2.12
2.13

Database specific

vanir_signatures

[
    {
        "id": "CVE-2022-23547-462989db",
        "source": "https://github.com/pjsip/pjproject/commit/bc4812d31a67d5e2f973fbfaf950d6118226cf36",
        "deprecated": false,
        "signature_version": "v1",
        "target": {
            "file": "pjnath/src/pjnath/stun_msg.c"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "175111722729723703917827652970951862848",
                "320750873941837248162976296174686428233",
                "10233014435274902338788707574033039708",
                "137744306711955242229758531546220777278",
                "249654785954974903787269973337509447243",
                "5110287606641809158553059296723021022",
                "173519180620720904105903041928057715721",
                "160072966660618222001334444606641743879",
                "286375471227338908900759340395951320869",
                "243908081097029261488165077874505280886",
                "48803634840579995942952949560625686557",
                "228146071902379120397005005936558625401",
                "288987876724974548673924177761914423157",
                "143939636023947953045413134917839193746"
            ]
        },
        "signature_type": "Line"
    },
    {
        "id": "CVE-2022-23547-8270a588",
        "source": "https://github.com/pjsip/pjproject/commit/bc4812d31a67d5e2f973fbfaf950d6118226cf36",
        "deprecated": false,
        "signature_version": "v1",
        "target": {
            "function": "decode_errcode_attr",
            "file": "pjnath/src/pjnath/stun_msg.c"
        },
        "digest": {
            "length": 491.0,
            "function_hash": "130888148930563368781015239556470159847"
        },
        "signature_type": "Function"
    },
    {
        "id": "CVE-2022-23547-e3b73a4d",
        "source": "https://github.com/pjsip/pjproject/commit/bc4812d31a67d5e2f973fbfaf950d6118226cf36",
        "deprecated": false,
        "signature_version": "v1",
        "target": {
            "function": "decode_uint_attr",
            "file": "pjnath/src/pjnath/stun_msg.c"
        },
        "digest": {
            "length": 350.0,
            "function_hash": "336891827683311436262775604520492590857"
        },
        "signature_type": "Function"
    }
]