{"api_version":"1","generated_at":"2026-04-23T06:08:28+00:00","cve":"CVE-2022-24793","urls":{"html":"https://cve.report/CVE-2022-24793","api":"https://cve.report/api/cve/CVE-2022-24793.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-24793","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-24793"},"summary":{"title":"CVE-2022-24793","description":"PJSIP is a free and open source multimedia communication library written in C. A buffer overflow vulnerability in versions 2.12 and prior affects applications that use PJSIP DNS resolution. It doesn't affect PJSIP users who utilize an external resolver. This vulnerability is related to CVE-2023-27585. The difference is that this issue is in parsing the query record `parse_rr()`, while the issue in CVE-2023-27585 is in `parse_query()`. A patch is available in the `master` branch of the `pjsip/pjproject` GitHub repository. A workaround is to disable DNS resolution in PJSIP config (by setting `nameserver_count` to zero) or use an external resolver instead.","state":"PUBLIC","assigner":"security-advisories@github.com","published_at":"2022-04-06 14:15:00","updated_at":"2023-08-30 01:15:00"},"problem_types":["CWE-120"],"metrics":[],"references":[{"url":"https://github.com/pjsip/pjproject/security/advisories/GHSA-p6g5-v97c-w5q4","name":"https://github.com/pjsip/pjproject/security/advisories/GHSA-p6g5-v97c-w5q4","refsource":"CONFIRM","tags":[],"title":"Potential heap buffer overflow when parsing DNS packets · Advisory · pjsip/pjproject · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/pjsip/pjproject/commit/9fae8f43accef8ea65d4a8ae9cdf297c46cfe29a","name":"https://github.com/pjsip/pjproject/commit/9fae8f43accef8ea65d4a8ae9cdf297c46cfe29a","refsource":"MISC","tags":[],"title":"Merge pull request from GHSA-p6g5-v97c-w5q4 · pjsip/pjproject@9fae8f4 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.gentoo.org/glsa/202210-37","name":"GLSA-202210-37","refsource":"GENTOO","tags":[],"title":"PJSIP: Multiple Vulnerabilities (GLSA 202210-37) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.debian.org/debian-lts-announce/2022/05/msg00047.html","name":"[debian-lts-announce] 20220531 [SECURITY] [DLA 3036-1] pjproject security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 3036-1] pjproject security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html","name":"[debian-lts-announce] 20230829 [SECURITY] [DLA 3549-1] ring security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 3549-1] ring security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.debian.org/security/2022/dsa-5285","name":"DSA-5285","refsource":"DEBIAN","tags":[],"title":"Debian -- Security Information -- DSA-5285-1 asterisk","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html","name":"[debian-lts-announce] 20221117 [SECURITY] [DLA 3194-1] asterisk security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 3194-1] asterisk security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-24793","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24793","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"24793","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"10.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"24793","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"11.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"24793","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"9.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"24793","vulnerable":"1","versionEndIncluding":"2.12","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"pjsip","cpe5":"pjsip","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2022-24793","qid":"179340","title":"Debian Security Update for pjproject (DLA 3036-1)"},{"cve":"CVE-2022-24793","qid":"181225","title":"Debian Security Update for asterisk (DLA 3194-1)"},{"cve":"CVE-2022-24793","qid":"181237","title":"Debian Security Update for asterisk (DSA 5285-1)"},{"cve":"CVE-2022-24793","qid":"181742","title":"Debian Security Update for asterisk (DLA 3394-1)"},{"cve":"CVE-2022-24793","qid":"182332","title":"Debian Security Update for ring (CVE-2022-24793)"},{"cve":"CVE-2022-24793","qid":"199817","title":"Ubuntu Security Notification for Ring Vulnerabilities (USN-6422-1)"},{"cve":"CVE-2022-24793","qid":"502232","title":"Alpine Linux Security Update for pjproject"},{"cve":"CVE-2022-24793","qid":"504293","title":"Alpine Linux Security Update for pjproject"},{"cve":"CVE-2022-24793","qid":"6000045","title":"Debian Security Update for ring (DLA 3549-1)"},{"cve":"CVE-2022-24793","qid":"6000231","title":"Debian Security Update for asterisk (DSA 5438-1)"},{"cve":"CVE-2022-24793","qid":"710674","title":"Gentoo Linux PJSIP Multiple Vulnerabilities (GLSA 202210-37)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security-advisories@github.com","ID":"CVE-2022-24793","STATE":"PUBLIC","TITLE":"Potential heap buffer overflow when parsing DNS packets in PJSIP"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"pjproject","version":{"version_data":[{"version_value":"<= 2.12"}]}}]},"vendor_name":"pjsip"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"PJSIP is a free and open source multimedia communication library written in C. A buffer overflow vulnerability in versions 2.12 and prior affects applications that use PJSIP DNS resolution. It doesn't affect PJSIP users who utilize an external resolver. This vulnerability is related to CVE-2023-27585. The difference is that this issue is in parsing the query record `parse_rr()`, while the issue in CVE-2023-27585 is in `parse_query()`. A patch is available in the `master` branch of the `pjsip/pjproject` GitHub repository. A workaround is to disable DNS resolution in PJSIP config (by setting `nameserver_count` to zero) or use an external resolver instead."}]},"impact":{"cvss":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')"}]}]},"references":{"reference_data":[{"name":"https://github.com/pjsip/pjproject/security/advisories/GHSA-p6g5-v97c-w5q4","refsource":"CONFIRM","url":"https://github.com/pjsip/pjproject/security/advisories/GHSA-p6g5-v97c-w5q4"},{"name":"https://github.com/pjsip/pjproject/commit/9fae8f43accef8ea65d4a8ae9cdf297c46cfe29a","refsource":"MISC","url":"https://github.com/pjsip/pjproject/commit/9fae8f43accef8ea65d4a8ae9cdf297c46cfe29a"},{"refsource":"MLIST","name":"[debian-lts-announce] 20220531 [SECURITY] [DLA 3036-1] pjproject security update","url":"https://lists.debian.org/debian-lts-announce/2022/05/msg00047.html"},{"refsource":"GENTOO","name":"GLSA-202210-37","url":"https://security.gentoo.org/glsa/202210-37"},{"refsource":"MLIST","name":"[debian-lts-announce] 20221117 [SECURITY] [DLA 3194-1] asterisk security update","url":"https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html"},{"refsource":"DEBIAN","name":"DSA-5285","url":"https://www.debian.org/security/2022/dsa-5285"},{"refsource":"MLIST","name":"[debian-lts-announce] 20230829 [SECURITY] [DLA 3549-1] ring security update","url":"https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html"}]},"source":{"advisory":"GHSA-p6g5-v97c-w5q4","discovery":"UNKNOWN"}},"nvd":{"publishedDate":"2022-04-06 14:15:00","lastModifiedDate":"2023-08-30 01:15:00","problem_types":["CWE-120"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:N/I:N/A:P","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"PARTIAL","baseScore":4.3},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:pjsip:pjsip:*:*:*:*:*:*:*:*","versionEndIncluding":"2.12","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2022","CveId":"24793","Ordinal":"228267","Title":"CVE-2022-24793","CVE":"CVE-2022-24793","Year":"2022"},"notes":[{"CveYear":"2022","CveId":"24793","Ordinal":"1","NoteData":"** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.","Type":"Description","Title":null}]}}}