CVE-2022-31031

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-31031
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-31031.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-31031
Aliases
  • GHSA-26j7-ww69-c4qj
Downstream
Published
2022-06-07T00:00:00Z
Modified
2025-10-21T07:05:15.986477Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Potential stack buffer overflow when parsing message as a STUN client
Details

PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In versions prior to and including 2.12.1 a stack buffer overflow vulnerability affects PJSIP users that use STUN in their applications, either by: setting a STUN server in their account/media config in PJSUA/PJSUA2 level, or directly using pjlib-util/stun_simple API. A patch is available in commit 450baca which should be included in the next release. There are no known workarounds for this issue.

References

Affected packages

Git / github.com/pjsip/pjproject

Affected ranges

Type
GIT
Repo
https://github.com/pjsip/pjproject
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
450baca94f475345542c6953832650c390889202

Affected versions

2.*

2.10
2.11
2.12

Database specific

vanir_signatures

[
    {
        "source": "https://github.com/pjsip/pjproject/commit/450baca94f475345542c6953832650c390889202",
        "signature_version": "v1",
        "target": {
            "file": "pjlib-util/src/pjlib-util/stun_simple.c"
        },
        "digest": {
            "line_hashes": [
                "18675985838574001591672348400044795040",
                "200545929341133339176492842925854951894",
                "71345757283245926026788890123809048397",
                "211798829883131747519432289994270918858",
                "256546572321531786175823060796245495320",
                "176674116864836577417796026252013864768",
                "35219471761988995358705221229101182948",
                "100676641146409153927902959964396058321",
                "64010385457529374259348921871547858181",
                "171761158291525197135947210639399377618",
                "132419225607288865818083473479881875173",
                "205008093233970311751219738864899309652"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "signature_type": "Line",
        "id": "CVE-2022-31031-b211dd0b"
    },
    {
        "source": "https://github.com/pjsip/pjproject/commit/450baca94f475345542c6953832650c390889202",
        "signature_version": "v1",
        "target": {
            "file": "pjlib-util/src/pjlib-util/stun_simple.c",
            "function": "pjstun_parse_msg"
        },
        "digest": {
            "length": 1569.0,
            "function_hash": "105640829199272616322361861027215462711"
        },
        "deprecated": false,
        "signature_type": "Function",
        "id": "CVE-2022-31031-d5d5e7ab"
    }
]