{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-21722", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "dateUpdated": "2025-11-04T16:09:29.836Z", "dateReserved": "2021-11-16T00:00:00.000Z", "datePublished": "2022-01-27T00:00:00.000Z"}, "containers": {"cna": {"title": "Potential out-of-bound read during RTP/RTCP parsing in PJSIP", "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-08-30T00:06:34.217Z"}, "descriptions": [{"lang": "en", "value": "PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In version 2.11.1 and prior, there are various cases where it is possible that certain incoming RTP/RTCP packets can potentially cause out-of-bound read access. This issue affects all users that use PJMEDIA and accept incoming RTP/RTCP. A patch is available as a commit in the `master` branch. There are no known workarounds."}], "affected": [{"vendor": "pjsip", "product": "pjproject", "versions": [{"version": "<= 2.11.1", "status": "affected"}]}], "references": [{"url": "https://github.com/pjsip/pjproject/security/advisories/GHSA-m66q-q64c-hv36"}, {"url": "https://github.com/pjsip/pjproject/commit/22af44e68a0c7d190ac1e25075e1382f77e9397a"}, {"name": "[debian-lts-announce] 20220328 [SECURITY] [DLA 2962-1] pjproject security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html"}, {"name": "GLSA-202210-37", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202210-37"}, {"name": "[debian-lts-announce] 20221117 [SECURITY] [DLA 3194-1] asterisk security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html"}, {"name": "DSA-5285", "tags": ["vendor-advisory"], "url": "https://www.debian.org/security/2022/dsa-5285"}, {"name": "[debian-lts-announce] 20230829 [SECURITY] [DLA 3549-1] ring security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-125: Out-of-bounds Read", "cweId": "CWE-125"}]}], "source": {"advisory": "GHSA-m66q-q64c-hv36", "discovery": "UNKNOWN"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/pjsip/pjproject/security/advisories/GHSA-m66q-q64c-hv36", "tags": ["x_transferred"]}, {"url": "https://github.com/pjsip/pjproject/commit/22af44e68a0c7d190ac1e25075e1382f77e9397a", "tags": ["x_transferred"]}, {"name": "[debian-lts-announce] 20220328 [SECURITY] [DLA 2962-1] pjproject security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html"}, {"name": "GLSA-202210-37", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.gentoo.org/glsa/202210-37"}, {"name": "[debian-lts-announce] 20221117 [SECURITY] [DLA 3194-1] asterisk security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html"}, {"name": "DSA-5285", "tags": ["vendor-advisory", "x_transferred"], "url": "https://www.debian.org/security/2022/dsa-5285"}, {"name": "[debian-lts-announce] 20230829 [SECURITY] [DLA 3549-1] ring security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00030.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-04T16:09:29.836Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-23T15:57:54.933084Z", "id": "CVE-2022-21722", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-23T19:08:56.520Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/pjsip/pjproject/security/advisories/GHSA-m66q-q64c-hv36", "tags": ["x_transferred"]}, {"url": "https://github.com/pjsip/pjproject/commit/22af44e68a0c7d190ac1e25075e1382f77e9397a", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html", "name": "[debian-lts-announce] 20220328 [SECURITY] [DLA 2962-1] pjproject security update", "tags": ["mailing-list", "x_transferred"]}, {"url": "https://security.gentoo.org/glsa/202210-37", "name": "GLSA-202210-37", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html", "name": "[debian-lts-announce] 20221117 [SECURITY] [DLA 3194-1] asterisk security update", "tags": ["mailing-list", "x_transferred"]}, {"url": "https://www.debian.org/security/2022/dsa-5285", "name": "DSA-5285", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html", "name": "[debian-lts-announce] 20230829 [SECURITY] [DLA 3549-1] ring security update", "tags": ["mailing-list", "x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00030.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-04T16:09:29.836Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-21722", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-23T15:57:54.933084Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-23T15:57:56.331Z"}}], "cna": {"title": "Potential out-of-bound read during RTP/RTCP parsing in PJSIP", "source": {"advisory": "GHSA-m66q-q64c-hv36", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "pjsip", "product": "pjproject", "versions": [{"status": "affected", "version": "<= 2.11.1"}]}], "references": [{"url": "https://github.com/pjsip/pjproject/security/advisories/GHSA-m66q-q64c-hv36"}, {"url": "https://github.com/pjsip/pjproject/commit/22af44e68a0c7d190ac1e25075e1382f77e9397a"}, {"url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html", "name": "[debian-lts-announce] 20220328 [SECURITY] [DLA 2962-1] pjproject security update", "tags": ["mailing-list"]}, {"url": "https://security.gentoo.org/glsa/202210-37", "name": "GLSA-202210-37", "tags": ["vendor-advisory"]}, {"url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html", "name": "[debian-lts-announce] 20221117 [SECURITY] [DLA 3194-1] asterisk security update", "tags": ["mailing-list"]}, {"url": "https://www.debian.org/security/2022/dsa-5285", "name": "DSA-5285", "tags": ["vendor-advisory"]}, {"url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html", "name": "[debian-lts-announce] 20230829 [SECURITY] [DLA 3549-1] ring security update", "tags": ["mailing-list"]}], "descriptions": [{"lang": "en", "value": "PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In version 2.11.1 and prior, there are various cases where it is possible that certain incoming RTP/RTCP packets can potentially cause out-of-bound read access. This issue affects all users that use PJMEDIA and accept incoming RTP/RTCP. A patch is available as a commit in the `master` branch. There are no known workarounds."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "CWE-125: Out-of-bounds Read"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-08-30T00:06:34.217Z"}}}, "cveMetadata": {"cveId": "CVE-2022-21722", "state": "PUBLISHED", "dateUpdated": "2025-11-04T16:09:29.836Z", "dateReserved": "2021-11-16T00:00:00.000Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2022-01-27T00:00:00.000Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:teluu:pjsip:*:*:*:*:*:*:*:*", "matchCriteriaId": "6BB0273A-3235-4BC7-A1BE-7D35BABD8617", "versionEndIncluding": "2.11.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In version 2.11.1 and prior, there are various cases where it is possible that certain incoming RTP/RTCP packets can potentially cause out-of-bound read access. This issue affects all users that use PJMEDIA and accept incoming RTP/RTCP. A patch is available as a commit in the `master` branch. There are no known workarounds."}, {"lang": "es", "value": "PJSIP es una biblioteca de comunicaci\u00f3n multimedia gratuita y de c\u00f3digo abierto escrita en lenguaje C que implementa protocolos basados en est\u00e1ndares como SIP, SDP, RTP, STUN, TURN e ICE. En la versi\u00f3n 2.11.1 y anteriores, se presentan varios casos en los que es posible que determinados paquetes RTP/RTCP entrantes puedan causar potencialmente un acceso de lectura fuera de l\u00edmites. Este problema afecta a todos los usuarios que usan PJMEDIA y aceptan RTP/RTCP entrantes. Se presenta un parche disponible en la rama \"master\". No se presentan medidas de mitigaci\u00f3n conocidas"}], "id": "CVE-2022-21722", "lastModified": "2025-11-04T16:15:46.323", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "[email protected]", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "[email protected]", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "[email protected]", "type": "Primary"}]}, "published": "2022-01-27T00:15:07.653", "references": [{"source": "[email protected]", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/pjsip/pjproject/commit/22af44e68a0c7d190ac1e25075e1382f77e9397a"}, {"source": "[email protected]", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/pjsip/pjproject/security/advisories/GHSA-m66q-q64c-hv36"}, {"source": "[email protected]", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html"}, {"source": "[email protected]", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html"}, {"source": "[email protected]", "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html"}, {"source": "[email protected]", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202210-37"}, {"source": "[email protected]", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2022/dsa-5285"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/pjsip/pjproject/commit/22af44e68a0c7d190ac1e25075e1382f77e9397a"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/pjsip/pjproject/security/advisories/GHSA-m66q-q64c-hv36"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00030.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202210-37"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2022/dsa-5285"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "[email protected]", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-125"}], "source": "[email protected]", "type": "Primary"}]}

{}