CVE-2023-28099

Name of the Vulnerable Software and Affected Versions OpenSIPS versions prior to 3.1.9 and 3.2.6

Description OpenSIPS is a Session Initiation Protocol (SIP) server implementation. If the ds is in list() function is used with an invalid IP address string, OpenSIPS will attempt to print a string from a random address, which could lead to a crash. All users of ds is in list() without the $si variable as the 1st parameter could be affected by this issue to a larger, lesser, or no extent at all, depending on if the data passed to the function is a valid IPv4 or IPv6 address string or not.

Recommendations For versions prior to 3.1.9, update to version 3.1.9 or later. For versions prior to 3.2.6, update to version 3.2.6 or later. As a temporary workaround, consider avoiding the use of the ds is in list() function with invalid IP address strings until a patch is available.