CVE-2022-31003

Name of the Vulnerable Software and Affected Versions Sofia-SIP versions prior to 1.13.8

Description Sofia-SIP is an open-source Session Initiation Protocol (SIP) User-Agent library. When parsing each line of a sdp message, rest = record + 2 will access the memory behind 0 and cause an out-of-bounds write. An attacker can send a message with evil sdp to FreeSWITCH, causing a crash or more serious consequence, such as remote code execution.

Recommendations For versions prior to 1.13.8, update to version 1.13.8 to resolve the issue. As a temporary workaround, consider restricting the parsing of sdp messages to prevent potential crashes or remote code execution. Avoid using the vulnerable rest = record + 2 line in the sdp message parsing function until the issue is resolved.