Vulnerability-Lookup

CVE-2021-37706 (GCVE-0-2021-37706)

Vulnerability from cvelistv5 – Published: 2021-12-22 00:00 – Updated: 2025-11-04 16:09

Title

Potential integer underflow upon receiving STUN message in PJSIP

Summary

PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In affected versions if the incoming STUN message contains an ERROR-CODE attribute, the header length is not checked before performing a subtraction operation, potentially resulting in an integer underflow scenario. This issue affects all users that use STUN. A malicious actor located within the victim’s network may forge and send a specially crafted UDP (STUN) message that could remotely execute arbitrary code on the victim’s machine. Users are advised to upgrade as soon as possible. There are no known workarounds.

Severity ?

7.3 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE

CWE-191 - Integer Underflow (Wrap or Wraparound)

Assigner

GitHub_M

References

URL

Tags

	https://github.com/pjsip/pjproject/security/advis…
	https://github.com/pjsip/pjproject/commit/15663e3…
	http://seclists.org/fulldisclosure/2022/Mar/0	mailing-list
	http://packetstormsecurity.com/files/166225/Aster…
	https://lists.debian.org/debian-lts-announce/2022…	mailing-list
	https://security.gentoo.org/glsa/202210-37	vendor-advisory
	https://lists.debian.org/debian-lts-announce/2022…	mailing-list
	https://www.debian.org/security/2022/dsa-5285	vendor-advisory
	https://lists.debian.org/debian-lts-announce/2023…	mailing-list

Impacted products

	Vendor	Product	Version
	pjsip	pjproject	Affected: <= 2.11.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-04T16:09:17.025Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/pjsip/pjproject/security/advisories/GHSA-2qpg-f6wf-w984"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/pjsip/pjproject/commit/15663e3f37091069b8c98a7fce680dc04bc8e865"
          },
          {
            "name": "20220304 AST-2022-004: pjproject: integer underflow on STUN message",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2022/Mar/0"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/166225/Asterisk-Project-Security-Advisory-AST-2022-004.html"
          },
          {
            "name": "[debian-lts-announce] 20220328 [SECURITY] [DLA 2962-1] pjproject security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html"
          },
          {
            "name": "GLSA-202210-37",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202210-37"
          },
          {
            "name": "[debian-lts-announce] 20221117 [SECURITY] [DLA 3194-1] asterisk security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html"
          },
          {
            "name": "DSA-5285",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2022/dsa-5285"
          },
          {
            "name": "[debian-lts-announce] 20230829 [SECURITY] [DLA 3549-1] ring security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "pjproject",
          "vendor": "pjsip",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 2.11.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In affected versions if the incoming STUN message contains an ERROR-CODE attribute, the header length is not checked before performing a subtraction operation, potentially resulting in an integer underflow scenario. This issue affects all users that use STUN. A malicious actor located within the victim\u2019s network may forge and send a specially crafted UDP (STUN) message that could remotely execute arbitrary code on the victim\u2019s machine. Users are advised to upgrade as soon as possible. There are no known workarounds."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-191",
              "description": "CWE-191: Integer Underflow (Wrap or Wraparound)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-08-30T00:06:40.686Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "url": "https://github.com/pjsip/pjproject/security/advisories/GHSA-2qpg-f6wf-w984"
        },
        {
          "url": "https://github.com/pjsip/pjproject/commit/15663e3f37091069b8c98a7fce680dc04bc8e865"
        },
        {
          "name": "20220304 AST-2022-004: pjproject: integer underflow on STUN message",
          "tags": [
            "mailing-list"
          ],
          "url": "http://seclists.org/fulldisclosure/2022/Mar/0"
        },
        {
          "url": "http://packetstormsecurity.com/files/166225/Asterisk-Project-Security-Advisory-AST-2022-004.html"
        },
        {
          "name": "[debian-lts-announce] 20220328 [SECURITY] [DLA 2962-1] pjproject security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html"
        },
        {
          "name": "GLSA-202210-37",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.gentoo.org/glsa/202210-37"
        },
        {
          "name": "[debian-lts-announce] 20221117 [SECURITY] [DLA 3194-1] asterisk security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html"
        },
        {
          "name": "DSA-5285",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.debian.org/security/2022/dsa-5285"
        },
        {
          "name": "[debian-lts-announce] 20230829 [SECURITY] [DLA 3549-1] ring security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html"
        }
      ],
      "source": {
        "advisory": "GHSA-2qpg-f6wf-w984",
        "discovery": "UNKNOWN"
      },
      "title": "Potential integer underflow upon receiving STUN message in PJSIP"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2021-37706",
    "datePublished": "2021-12-22T00:00:00.000Z",
    "dateReserved": "2021-07-29T00:00:00.000Z",
    "dateUpdated": "2025-11-04T16:09:17.025Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CERTFR-2022-AVI-208

Vulnerability from certfr_avis - Published: 2022-03-07 - Updated: 2022-03-07

De multiples vulnérabilités ont été découvertes dans Asterisk. Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance et un déni de service.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Asterisk open source versions 16.x antérieures à 16.24.1
Asterisk open source versions 18.x antérieures à 18.10.1
Asterisk open source versions 19.x antérieures à 19.2.1
Asterisk versions certifiées antérieures à 16.8-cert13

Les systèmes qui n'utilisent pas le module pjproject sous forme de bundle, il est requis d'installer le correctif de pjproject.

Impacted products

	Vendor	Product	Description

References

Title

Publication Time

Tags

Bulletin de sécurité Asterisk AST-2022-004 du 04 mars 2022	None	vendor-advisory
Bulletin de sécurité Asterisk AST-2022-006 du 04 mars 2022	None	vendor-advisory
Bulletin de sécurité Asterisk AST-2022-005 du 04 mars 2022	None	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [],
  "affected_systems_content": "\u003cul\u003e \u003cli\u003eAsterisk open source versions 16.x ant\u00e9rieures \u00e0 16.24.1\u003c/li\u003e \u003cli\u003eAsterisk open source versions 18.x ant\u00e9rieures \u00e0 18.10.1\u003c/li\u003e \u003cli\u003eAsterisk open source versions 19.x ant\u00e9rieures \u00e0 19.2.1\u003c/li\u003e \u003cli\u003eAsterisk versions certifi\u00e9es ant\u00e9rieures \u00e0 16.8-cert13\u003c/li\u003e \u003c/ul\u003e \u003cp\u003eLes syst\u00e8mes qui n\u0027utilisent pas le module \u003cem\u003epjproject\u003c/em\u003e sous forme de \u003cem\u003ebundle\u003c/em\u003e, il est requis d\u0027installer le correctif de \u003cem\u003epjproject\u003c/em\u003e.\u003c/p\u003e ",
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2022-21723",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-21723"
    },
    {
      "name": "CVE-2022-23608",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-23608"
    },
    {
      "name": "CVE-2021-37706",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-37706"
    }
  ],
  "initial_release_date": "2022-03-07T00:00:00",
  "last_revision_date": "2022-03-07T00:00:00",
  "links": [],
  "reference": "CERTFR-2022-AVI-208",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2022-03-07T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "D\u00e9ni de service"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Asterisk. Elles\npermettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire\n\u00e0 distance et un d\u00e9ni de service.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Asterisk",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Asterisk AST-2022-004 du 04 mars 2022",
      "url": "https://downloads.asterisk.org/pub/security/AST-2022-004.html"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Asterisk AST-2022-006 du 04 mars 2022",
      "url": "https://downloads.asterisk.org/pub/security/AST-2022-006.html"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Asterisk AST-2022-005 du 04 mars 2022",
      "url": "https://downloads.asterisk.org/pub/security/AST-2022-005.html"
    }
  ]
}

CERTFR-2022-AVI-410

Vulnerability from certfr_avis - Published: 2022-05-04 - Updated: 2022-05-04

De multiples vulnérabilités ont été découvertes dans les produits Fortinet. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et un contournement de la politique de sécurité.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Fortinet	FortiNAC	Fortinet FortiNAC versions 9.2.x antérieures à 9.2.3
Fortinet	FortiNAC	Fortinet FortiNAC versions 9.4.x antérieures à 9.4.0
Fortinet	FortiGate	Fortinet FortiGate versions 7.0.x antérieures à 7.0.4
Fortinet	N/A	Fortinet FortiIsolator versions antérieures à 2.3.3 ou 2.4.0
Fortinet	FortiProxy	Fortinet FortiProxy versions 2.0.x antérieures à 2.0.8
Fortinet	FortiClient	Fortinet FortiClient versions antérieures à 6.4.7
Fortinet	FortiSOAR	Fortinet FortiSOAR versions antérieures à 7.2.0
Fortinet	FortiProxy	Fortinet FortiProxy versions 7.0.x antérieures à 7.0.2
Fortinet	FortiClient	Fortinet FortiClient versions 7.x antérieures à 7.0.3
Fortinet	N/A	Fortinet FortiFone versions antérieures à 3.0.12
Fortinet	FortiGate	Fortinet FortiGate versions antérieures à 6.4.9
Fortinet	FortiNAC	Fortinet FortiNAC versions 10.x antérieures à 10.0.0
Fortinet	FortiOS	Fortinet FortiOS versions antérieures à 6.4.9
Fortinet	FortiNAC	Fortinet FortiNAC versions antérieures à 9.1.6
Fortinet	FortiOS	Fortinet FortiOS versions 7.0.x antérieures à 7.0.4 ou 7.2.0

References

Title

Publication Time

Tags

Bulletin de sécurité Fortinet FG-IR-22-062 du 03 mai 2022	None	vendor-advisory
Bulletin de sécurité Fortinet FG-IR-21-231 du 03 mai 2022	None	vendor-advisory
Bulletin de sécurité Fortinet FG-IR-22-041 du 03 mai 2022	None	vendor-advisory
Bulletin de sécurité Fortinet FG-IR-21-147 du 03 mai 2022	None	vendor-advisory
Bulletin de sécurité Fortinet FG-IR-21-040 du 03 mai 2022	None	vendor-advisory
Bulletin de sécurité Fortinet FG-IR-21-230 du 03 mai 2022	None	vendor-advisory
Bulletin de sécurité Fortinet FG-IR-21-239 du 03 mai 2022	None	vendor-advisory
Bulletin de sécurité Fortinet FG-IR-21-154 du 03 mai 2022	None	vendor-advisory
Bulletin de sécurité Fortinet FG-IR-22-007 du 03 mai 2022	None	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Fortinet FortiNAC versions 9.2.x ant\u00e9rieures \u00e0 9.2.3",
      "product": {
        "name": "FortiNAC",
        "vendor": {
          "name": "Fortinet",
          "scada": false
        }
      }
    },
    {
      "description": "Fortinet FortiNAC versions 9.4.x ant\u00e9rieures \u00e0 9.4.0",
      "product": {
        "name": "FortiNAC",
        "vendor": {
          "name": "Fortinet",
          "scada": false
        }
      }
    },
    {
      "description": "Fortinet FortiGate versions 7.0.x ant\u00e9rieures \u00e0 7.0.4",
      "product": {
        "name": "FortiGate",
        "vendor": {
          "name": "Fortinet",
          "scada": false
        }
      }
    },
    {
      "description": "Fortinet FortiIsolator versions ant\u00e9rieures \u00e0 2.3.3 ou 2.4.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Fortinet",
          "scada": false
        }
      }
    },
    {
      "description": "Fortinet FortiProxy versions 2.0.x ant\u00e9rieures \u00e0 2.0.8",
      "product": {
        "name": "FortiProxy",
        "vendor": {
          "name": "Fortinet",
          "scada": false
        }
      }
    },
    {
      "description": "Fortinet FortiClient versions ant\u00e9rieures \u00e0 6.4.7",
      "product": {
        "name": "FortiClient",
        "vendor": {
          "name": "Fortinet",
          "scada": false
        }
      }
    },
    {
      "description": "Fortinet FortiSOAR versions ant\u00e9rieures \u00e0 7.2.0",
      "product": {
        "name": "FortiSOAR",
        "vendor": {
          "name": "Fortinet",
          "scada": false
        }
      }
    },
    {
      "description": "Fortinet FortiProxy versions 7.0.x ant\u00e9rieures \u00e0 7.0.2",
      "product": {
        "name": "FortiProxy",
        "vendor": {
          "name": "Fortinet",
          "scada": false
        }
      }
    },
    {
      "description": "Fortinet FortiClient versions 7.x ant\u00e9rieures \u00e0 7.0.3",
      "product": {
        "name": "FortiClient",
        "vendor": {
          "name": "Fortinet",
          "scada": false
        }
      }
    },
    {
      "description": "Fortinet FortiFone versions ant\u00e9rieures \u00e0 3.0.12",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Fortinet",
          "scada": false
        }
      }
    },
    {
      "description": "Fortinet FortiGate versions ant\u00e9rieures \u00e0 6.4.9",
      "product": {
        "name": "FortiGate",
        "vendor": {
          "name": "Fortinet",
          "scada": false
        }
      }
    },
    {
      "description": "Fortinet FortiNAC versions 10.x ant\u00e9rieures \u00e0 10.0.0",
      "product": {
        "name": "FortiNAC",
        "vendor": {
          "name": "Fortinet",
          "scada": false
        }
      }
    },
    {
      "description": "Fortinet FortiOS versions ant\u00e9rieures \u00e0 6.4.9",
      "product": {
        "name": "FortiOS",
        "vendor": {
          "name": "Fortinet",
          "scada": false
        }
      }
    },
    {
      "description": "Fortinet FortiNAC versions ant\u00e9rieures \u00e0 9.1.6",
      "product": {
        "name": "FortiNAC",
        "vendor": {
          "name": "Fortinet",
          "scada": false
        }
      }
    },
    {
      "description": "Fortinet FortiOS versions 7.0.x ant\u00e9rieures \u00e0 7.0.4 ou 7.2.0",
      "product": {
        "name": "FortiOS",
        "vendor": {
          "name": "Fortinet",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2021-43845",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-43845"
    },
    {
      "name": "CVE-2021-21375",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21375"
    },
    {
      "name": "CVE-2020-15260",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-15260"
    },
    {
      "name": "CVE-2021-37706",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-37706"
    },
    {
      "name": "CVE-2022-26116",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-26116"
    },
    {
      "name": "CVE-2021-43081",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-43081"
    },
    {
      "name": "CVE-2022-23443",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-23443"
    },
    {
      "name": "CVE-2021-43804",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-43804"
    },
    {
      "name": "CVE-2021-43066",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-43066"
    },
    {
      "name": "CVE-2021-32686",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-32686"
    },
    {
      "name": "CVE-2022-22306",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-22306"
    },
    {
      "name": "CVE-2021-41020",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-41020"
    },
    {
      "name": "CVE-2021-43206",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-43206"
    },
    {
      "name": "CVE-2021-41032",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-41032"
    }
  ],
  "initial_release_date": "2022-05-04T00:00:00",
  "last_revision_date": "2022-05-04T00:00:00",
  "links": [],
  "reference": "CERTFR-2022-AVI-410",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2022-05-04T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits\nFortinet. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer\nune ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0\ndistance et un contournement de la politique de s\u00e9curit\u00e9.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Fortinet",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Fortinet FG-IR-22-062 du 03 mai 2022",
      "url": "https://www.fortiguard.com/psirt/FG-IR-22-062"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Fortinet FG-IR-21-231 du 03 mai 2022",
      "url": "https://www.fortiguard.com/psirt/FG-IR-21-231"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Fortinet FG-IR-22-041 du 03 mai 2022",
      "url": "https://www.fortiguard.com/psirt/FG-IR-22-041"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Fortinet FG-IR-21-147 du 03 mai 2022",
      "url": "https://www.fortiguard.com/psirt/FG-IR-21-147"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Fortinet FG-IR-21-040 du 03 mai 2022",
      "url": "https://www.fortiguard.com/psirt/FG-IR-21-040"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Fortinet FG-IR-21-230 du 03 mai 2022",
      "url": "https://www.fortiguard.com/psirt/FG-IR-21-230"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Fortinet FG-IR-21-239 du 03 mai 2022",
      "url": "https://www.fortiguard.com/psirt/FG-IR-21-239"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Fortinet FG-IR-21-154 du 03 mai 2022",
      "url": "https://www.fortiguard.com/psirt/FG-IR-21-154"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Fortinet FG-IR-22-007 du 03 mai 2022",
      "url": "https://www.fortiguard.com/psirt/FG-IR-22-007"
    }
  ]
}

GSD-2021-37706

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

Aliases

CVE-2021-37706

Aliases

CVE-2021-37706

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-37706",
    "description": "PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In affected versions if the incoming STUN message contains an ERROR-CODE attribute, the header length is not checked before performing a subtraction operation, potentially resulting in an integer underflow scenario. This issue affects all users that use STUN. A malicious actor located within the victim\u2019s network may forge and send a specially crafted UDP (STUN) message that could remotely execute arbitrary code on the victim\u2019s machine. Users are advised to upgrade as soon as possible. There are no known workarounds.",
    "id": "GSD-2021-37706",
    "references": [
      "https://www.debian.org/security/2022/dsa-5285"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-37706"
      ],
      "details": "PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In affected versions if the incoming STUN message contains an ERROR-CODE attribute, the header length is not checked before performing a subtraction operation, potentially resulting in an integer underflow scenario. This issue affects all users that use STUN. A malicious actor located within the victim\u2019s network may forge and send a specially crafted UDP (STUN) message that could remotely execute arbitrary code on the victim\u2019s machine. Users are advised to upgrade as soon as possible. There are no known workarounds.",
      "id": "GSD-2021-37706",
      "modified": "2023-12-13T01:23:09.736690Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2021-37706",
        "STATE": "PUBLIC",
        "TITLE": "Potential integer underflow upon receiving STUN message in PJSIP"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "pjproject",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003c= 2.11.1"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "pjsip"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In affected versions if the incoming STUN message contains an ERROR-CODE attribute, the header length is not checked before performing a subtraction operation, potentially resulting in an integer underflow scenario. This issue affects all users that use STUN. A malicious actor located within the victim\u2019s network may forge and send a specially crafted UDP (STUN) message that could remotely execute arbitrary code on the victim\u2019s machine. Users are advised to upgrade as soon as possible. There are no known workarounds."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 7.3,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-191: Integer Underflow (Wrap or Wraparound)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/pjsip/pjproject/security/advisories/GHSA-2qpg-f6wf-w984",
            "refsource": "CONFIRM",
            "url": "https://github.com/pjsip/pjproject/security/advisories/GHSA-2qpg-f6wf-w984"
          },
          {
            "name": "https://github.com/pjsip/pjproject/commit/15663e3f37091069b8c98a7fce680dc04bc8e865",
            "refsource": "MISC",
            "url": "https://github.com/pjsip/pjproject/commit/15663e3f37091069b8c98a7fce680dc04bc8e865"
          },
          {
            "name": "20220304 AST-2022-004: pjproject: integer underflow on STUN message",
            "refsource": "FULLDISC",
            "url": "http://seclists.org/fulldisclosure/2022/Mar/0"
          },
          {
            "name": "http://packetstormsecurity.com/files/166225/Asterisk-Project-Security-Advisory-AST-2022-004.html",
            "refsource": "MISC",
            "url": "http://packetstormsecurity.com/files/166225/Asterisk-Project-Security-Advisory-AST-2022-004.html"
          },
          {
            "name": "[debian-lts-announce] 20220328 [SECURITY] [DLA 2962-1] pjproject security update",
            "refsource": "MLIST",
            "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html"
          },
          {
            "name": "GLSA-202210-37",
            "refsource": "GENTOO",
            "url": "https://security.gentoo.org/glsa/202210-37"
          },
          {
            "name": "[debian-lts-announce] 20221117 [SECURITY] [DLA 3194-1] asterisk security update",
            "refsource": "MLIST",
            "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html"
          },
          {
            "name": "DSA-5285",
            "refsource": "DEBIAN",
            "url": "https://www.debian.org/security/2022/dsa-5285"
          },
          {
            "name": "[debian-lts-announce] 20230829 [SECURITY] [DLA 3549-1] ring security update",
            "refsource": "MLIST",
            "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-2qpg-f6wf-w984",
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:teluu:pjsip:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "2.11.1",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert12:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert11:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert10:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert9:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert8:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert7:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert6:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert5:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert4:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert3:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:asterisk:certified_asterisk:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "16.8.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:asterisk:certified_asterisk:16.8.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "16.24.1",
                "versionStartIncluding": "16.0.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "19.2.1",
                "versionStartIncluding": "19.0.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "18.10.1",
                "versionStartIncluding": "18.0.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-37706"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In affected versions if the incoming STUN message contains an ERROR-CODE attribute, the header length is not checked before performing a subtraction operation, potentially resulting in an integer underflow scenario. This issue affects all users that use STUN. A malicious actor located within the victim\u2019s network may forge and send a specially crafted UDP (STUN) message that could remotely execute arbitrary code on the victim\u2019s machine. Users are advised to upgrade as soon as possible. There are no known workarounds."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-191"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/pjsip/pjproject/security/advisories/GHSA-2qpg-f6wf-w984",
              "refsource": "CONFIRM",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/pjsip/pjproject/security/advisories/GHSA-2qpg-f6wf-w984"
            },
            {
              "name": "https://github.com/pjsip/pjproject/commit/15663e3f37091069b8c98a7fce680dc04bc8e865",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/pjsip/pjproject/commit/15663e3f37091069b8c98a7fce680dc04bc8e865"
            },
            {
              "name": "20220304 AST-2022-004: pjproject: integer underflow on STUN message",
              "refsource": "FULLDISC",
              "tags": [
                "Mailing List",
                "Patch",
                "Third Party Advisory"
              ],
              "url": "http://seclists.org/fulldisclosure/2022/Mar/0"
            },
            {
              "name": "http://packetstormsecurity.com/files/166225/Asterisk-Project-Security-Advisory-AST-2022-004.html",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://packetstormsecurity.com/files/166225/Asterisk-Project-Security-Advisory-AST-2022-004.html"
            },
            {
              "name": "[debian-lts-announce] 20220328 [SECURITY] [DLA 2962-1] pjproject security update",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html"
            },
            {
              "name": "GLSA-202210-37",
              "refsource": "GENTOO",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://security.gentoo.org/glsa/202210-37"
            },
            {
              "name": "[debian-lts-announce] 20221117 [SECURITY] [DLA 3194-1] asterisk security update",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html"
            },
            {
              "name": "DSA-5285",
              "refsource": "DEBIAN",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://www.debian.org/security/2022/dsa-5285"
            },
            {
              "name": "[debian-lts-announce] 20230829 [SECURITY] [DLA 3549-1] ring security update",
              "refsource": "MLIST",
              "tags": [],
              "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "COMPLETE",
            "baseScore": 9.3,
            "confidentialityImpact": "COMPLETE",
            "integrityImpact": "COMPLETE",
            "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 10.0,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2023-08-30T01:15Z",
      "publishedDate": "2021-12-22T18:15Z"
    }
  }
}

FKIE_CVE-2021-37706

Vulnerability from fkie_nvd - Published: 2021-12-22 18:15 - Updated: 2025-11-04 16:15

Severity ?

7.3 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	http://packetstormsecurity.com/files/166225/Asterisk-Project-Security-Advisory-AST-2022-004.html	Third Party Advisory, VDB Entry
security-advisories@github.com	http://seclists.org/fulldisclosure/2022/Mar/0	Mailing List, Patch, Third Party Advisory
security-advisories@github.com	https://github.com/pjsip/pjproject/commit/15663e3f37091069b8c98a7fce680dc04bc8e865	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/pjsip/pjproject/security/advisories/GHSA-2qpg-f6wf-w984	Patch, Third Party Advisory
security-advisories@github.com	https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html	Mailing List, Third Party Advisory
security-advisories@github.com	https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html	Mailing List, Third Party Advisory
security-advisories@github.com	https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html
security-advisories@github.com	https://security.gentoo.org/glsa/202210-37	Third Party Advisory
security-advisories@github.com	https://www.debian.org/security/2022/dsa-5285	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://packetstormsecurity.com/files/166225/Asterisk-Project-Security-Advisory-AST-2022-004.html	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	http://seclists.org/fulldisclosure/2022/Mar/0	Mailing List, Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/pjsip/pjproject/commit/15663e3f37091069b8c98a7fce680dc04bc8e865	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/pjsip/pjproject/security/advisories/GHSA-2qpg-f6wf-w984	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html
af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2024/09/msg00030.html
af854a3a-2127-422b-91ae-364da2661108	https://security.gentoo.org/glsa/202210-37	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.debian.org/security/2022/dsa-5285	Third Party Advisory

Impacted products

Vendor	Product	Version
teluu	pjsip	*
asterisk	certified_asterisk	*
asterisk	certified_asterisk	16.8.0
asterisk	certified_asterisk	16.8.0
asterisk	certified_asterisk	16.8.0
asterisk	certified_asterisk	16.8.0
asterisk	certified_asterisk	16.8.0
asterisk	certified_asterisk	16.8.0
asterisk	certified_asterisk	16.8.0
asterisk	certified_asterisk	16.8.0
asterisk	certified_asterisk	16.8.0
asterisk	certified_asterisk	16.8.0
asterisk	certified_asterisk	16.8.0
asterisk	certified_asterisk	16.8.0
asterisk	certified_asterisk	16.8.0
sangoma	asterisk	*
sangoma	asterisk	*
sangoma	asterisk	*
debian	debian_linux	9.0
debian	debian_linux	10.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:teluu:pjsip:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "6BB0273A-3235-4BC7-A1BE-7D35BABD8617",
              "versionEndIncluding": "2.11.1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:asterisk:certified_asterisk:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "02200524-98C1-49E2-8DFE-7BE82E1181E2",
              "versionEndExcluding": "16.8.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:asterisk:certified_asterisk:16.8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "FC49FD2F-9A64-4F92-9B73-50E37BEB207E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert1:*:*:*:*:*:*",
              "matchCriteriaId": "E64BCD44-2298-4710-9CC3-DF82E6A8DF94",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert10:*:*:*:*:*:*",
              "matchCriteriaId": "91CCAB0C-C0F8-4619-AAE1-F6F13FF31570",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert11:*:*:*:*:*:*",
              "matchCriteriaId": "F2B7CBB3-E037-416B-AD16-9A553D6A4775",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert12:*:*:*:*:*:*",
              "matchCriteriaId": "DE7DDFE1-6A06-477A-AB45-D00053CFA7EC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert2:*:*:*:*:*:*",
              "matchCriteriaId": "A35C117A-6EFB-42EB-AD2A-EA7866606927",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert3:*:*:*:*:*:*",
              "matchCriteriaId": "40003CBE-792F-4875-9E60-6F1CE0BBAA8E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert4:*:*:*:*:*:*",
              "matchCriteriaId": "46A7AA7B-13F2-496A-99ED-1CC13234E8CB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert5:*:*:*:*:*:*",
              "matchCriteriaId": "147663CB-B48D-4D89-96BF-F92FF96F347F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert6:*:*:*:*:*:*",
              "matchCriteriaId": "27DBBC83-930A-4ECE-8C1E-47481D881B0D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert7:*:*:*:*:*:*",
              "matchCriteriaId": "B987A13D-A363-4DCE-BBA1-E35E81ACBA60",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert8:*:*:*:*:*:*",
              "matchCriteriaId": "01A5B7F9-FAD2-4C0C-937D-CF1086512130",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:asterisk:certified_asterisk:16.8.0:cert9:*:*:*:*:*:*",
              "matchCriteriaId": "F60B4271-F987-4932-86EE-45ED099661E1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "DE99C3B4-20EC-4AC8-9A0A-C690E2DBED99",
              "versionEndExcluding": "16.24.1",
              "versionStartIncluding": "16.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "C109B569-DE0D-4AE4-A128-239077CCC05F",
              "versionEndExcluding": "18.10.1",
              "versionStartIncluding": "18.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "44E4E3A7-8CB3-491C-98F6-F78345533E3B",
              "versionEndExcluding": "19.2.1",
              "versionStartIncluding": "19.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In affected versions if the incoming STUN message contains an ERROR-CODE attribute, the header length is not checked before performing a subtraction operation, potentially resulting in an integer underflow scenario. This issue affects all users that use STUN. A malicious actor located within the victim\u2019s network may forge and send a specially crafted UDP (STUN) message that could remotely execute arbitrary code on the victim\u2019s machine. Users are advised to upgrade as soon as possible. There are no known workarounds."
    },
    {
      "lang": "es",
      "value": "PJSIP es una biblioteca de comunicaci\u00f3n multimedia gratuita y de c\u00f3digo abierto escrita en lenguaje C que implementa protocolos basados en est\u00e1ndares como SIP, SDP, RTP, STUN, TURN e ICE. En las versiones afectadas, si el mensaje STUN entrante contiene un atributo ERROR-CODE, no se comprueba la longitud del encabezado antes de llevar a cabo una operaci\u00f3n de sustracci\u00f3n, resultando en un escenario de desbordamiento de enteros. Este problema afecta a todos los usuarios que usan STUN. Un actor malicioso situado en la red de la v\u00edctima puede falsificar y enviar un mensaje UDP (STUN) especialmente dise\u00f1ado que podr\u00eda ejecutar remotamente c\u00f3digo arbitrario en la m\u00e1quina de la v\u00edctima. Se aconseja a usuarios que actualicen lo antes posible. No se presentan soluciones conocidas"
    }
  ],
  "id": "CVE-2021-37706",
  "lastModified": "2025-11-04T16:15:43.010",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "COMPLETE",
          "baseScore": 9.3,
          "confidentialityImpact": "COMPLETE",
          "integrityImpact": "COMPLETE",
          "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 10.0,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 7.3,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-12-22T18:15:07.487",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/166225/Asterisk-Project-Security-Advisory-AST-2022-004.html"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Mailing List",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "http://seclists.org/fulldisclosure/2022/Mar/0"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/pjsip/pjproject/commit/15663e3f37091069b8c98a7fce680dc04bc8e865"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/pjsip/pjproject/security/advisories/GHSA-2qpg-f6wf-w984"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.gentoo.org/glsa/202210-37"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.debian.org/security/2022/dsa-5285"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/166225/Asterisk-Project-Security-Advisory-AST-2022-004.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "http://seclists.org/fulldisclosure/2022/Mar/0"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/pjsip/pjproject/commit/15663e3f37091069b8c98a7fce680dc04bc8e865"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/pjsip/pjproject/security/advisories/GHSA-2qpg-f6wf-w984"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00030.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.gentoo.org/glsa/202210-37"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.debian.org/security/2022/dsa-5285"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-191"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-191"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CVE-2021-37706

Vulnerability from fstec - Published: 10.08.2021

Title

Уязвимость мультимедийной коммуникационной библиотеки PJSIP, связанная с целочисленной потерей значимости, позволяющая нарушителю выполнить произвольный код

Description

Уязвимость мультимедийной коммуникационной библиотеки PJSIP связана с целочисленной потерей значимости при обработке сообщения STUN с атрибутом ERROR-CODE. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, выполнить произвольный код

Severity ?


                    
                      AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Vendor

Сообщество свободного программного обеспечения, АО "НППКТ"

Software Name

PJSIP, ОСОН ОСнова Оnyx (запись в едином реестре российских программ №5913)

Software Version

до 2.11.1 включительно (PJSIP), до 2.10 (ОСОН ОСнова Оnyx)

Possible Mitigations

Использование рекомендаций: https://github.com/pjsip/pjproject/commit/15663e3f37091069b8c98a7fce680dc04bc8e865 https://github.com/pjsip/pjproject/security/advisories/GHSA-2qpg-f6wf-w984 Для ОСОН ОСнова Оnyx (версия 2.10): Обновление программного обеспечения asterisk до версии 1:18.14.0~dfsg+~cs6.12.40431414-1really16.28.0~dfsg-0+deb10u4

Reference

https://github.com/pjsip/pjproject/commit/15663e3f37091069b8c98a7fce680dc04bc8e865 https://github.com/pjsip/pjproject/security/advisories/GHSA-2qpg-f6wf-w984 https://vuldb.com/ru/?id.188899 https://nvd.nist.gov/vuln/detail/CVE-2021-37706 https://поддержка.нппкт.рф/bin/view/ОСнова/Обновления/2.10/

CWE

CWE-191

JSON

To clipboard

{
  "CVSS 2.0": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
  "CVSS 3.0": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "\u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f, \u0410\u041e \"\u041d\u041f\u041f\u041a\u0422\"",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "\u0434\u043e 2.11.1 \u0432\u043a\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e (PJSIP), \u0434\u043e 2.10 (\u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\nhttps://github.com/pjsip/pjproject/commit/15663e3f37091069b8c98a7fce680dc04bc8e865 \nhttps://github.com/pjsip/pjproject/security/advisories/GHSA-2qpg-f6wf-w984\n\n\u0414\u043b\u044f \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx (\u0432\u0435\u0440\u0441\u0438\u044f 2.10):\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f asterisk \u0434\u043e \u0432\u0435\u0440\u0441\u0438\u0438 1:18.14.0~dfsg+~cs6.12.40431414-1really16.28.0~dfsg-0+deb10u4",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "10.08.2021",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "03.04.2024",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "04.03.2022",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2022-01086",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2021-37706",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "PJSIP, \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21165913)",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "\u0410\u041e \"\u041d\u041f\u041f\u041a\u0422\" \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx \u0434\u043e 2.10  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21165913)",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043c\u0443\u043b\u044c\u0442\u0438\u043c\u0435\u0434\u0438\u0439\u043d\u043e\u0439 \u043a\u043e\u043c\u043c\u0443\u043d\u0438\u043a\u0430\u0446\u0438\u043e\u043d\u043d\u043e\u0439 \u0431\u0438\u0431\u043b\u0438\u043e\u0442\u0435\u043a\u0438 PJSIP, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u0430\u044f \u0441 \u0446\u0435\u043b\u043e\u0447\u0438\u0441\u043b\u0435\u043d\u043d\u043e\u0439 \u043f\u043e\u0442\u0435\u0440\u0435\u0439 \u0437\u043d\u0430\u0447\u0438\u043c\u043e\u0441\u0442\u0438, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u0426\u0435\u043b\u043e\u0447\u0438\u0441\u043b\u0435\u043d\u043d\u0430\u044f \u043f\u043e\u0442\u0435\u0440\u044f \u0437\u043d\u0430\u0447\u0438\u043c\u043e\u0441\u0442\u0438 (\u043f\u0440\u043e\u0441\u0442\u043e\u0439 \u0438\u043b\u0438 \u0446\u0438\u043a\u043b\u0438\u0447\u0435\u0441\u043a\u0438\u0439 \u0441\u0434\u0432\u0438\u0433) (CWE-191)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043c\u0443\u043b\u044c\u0442\u0438\u043c\u0435\u0434\u0438\u0439\u043d\u043e\u0439 \u043a\u043e\u043c\u043c\u0443\u043d\u0438\u043a\u0430\u0446\u0438\u043e\u043d\u043d\u043e\u0439 \u0431\u0438\u0431\u043b\u0438\u043e\u0442\u0435\u043a\u0438 PJSIP \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u0446\u0435\u043b\u043e\u0447\u0438\u0441\u043b\u0435\u043d\u043d\u043e\u0439 \u043f\u043e\u0442\u0435\u0440\u0435\u0439 \u0437\u043d\u0430\u0447\u0438\u043c\u043e\u0441\u0442\u0438 \u043f\u0440\u0438 \u043e\u0431\u0440\u0430\u0431\u043e\u0442\u043a\u0435 \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u044f STUN \u0441 \u0430\u0442\u0440\u0438\u0431\u0443\u0442\u043e\u043c ERROR-CODE. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041c\u0430\u043d\u0438\u043f\u0443\u043b\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u0430\u043c\u0438 \u0434\u0430\u043d\u043d\u044b\u0445",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://github.com/pjsip/pjproject/commit/15663e3f37091069b8c98a7fce680dc04bc8e865 \nhttps://github.com/pjsip/pjproject/security/advisories/GHSA-2qpg-f6wf-w984\nhttps://vuldb.com/ru/?id.188899\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-37706\nhttps://\u043f\u043e\u0434\u0434\u0435\u0440\u0436\u043a\u0430.\u043d\u043f\u043f\u043a\u0442.\u0440\u0444/bin/view/\u041e\u0421\u043d\u043e\u0432\u0430/\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f/2.10/",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c, \u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-191",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 7,5)\n\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 7,3)"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2021-37706 (GCVE-0-2021-37706)

CERTFR-2022-AVI-208

Solution

CERTFR-2022-AVI-410

Solution

GSD-2021-37706

FKIE_CVE-2021-37706

CVE-2021-37706

Tags

Sightings

Nomenclature