CVE-2022-24754

Name of the Vulnerable Software and Affected Versions PJSIP versions prior to and including 2.12

Description The issue is a stack-buffer overflow vulnerability in the PJSIP library, which only impacts users who accept hashed digest credentials with data type PJSIP CRED DATA DIGEST. This vulnerability can be exploited by a remote attacker to cause a denial of service or execute arbitrary code. The vulnerability is related to the pjsip auth create digest() function and can lead to memory damage.

Recommendations For versions prior to and including 2.12, users should check that the hashed digest data length is equal to PJSIP MD5STRLEN before passing it to PJSIP. As a temporary workaround, consider adding a length check for the hashed digest data to prevent the stack-buffer overflow. Users should upgrade to a newer version once it is available, as the issue has been patched in the master branch of the PJSIP repository.