CVE-2021-43302
First published: Wed Feb 16 2022(Updated: )
Read out-of-bounds in PJSUA API when calling pjsua_recorder_create. An attacker-controlled 'filename' argument may cause an out-of-bounds read when the filename is shorter than 4 characters.
Credit: reefs@jfrog.com reefs@jfrog.com reefs@jfrog.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Teluu PJSIP | <=2.11.1 | |
| Debian Debian Linux | =9.0 | |
| Debian Debian Linux | =10.0 | |
| Debian Debian Linux | =11.0 | |
| ubuntu/ring | <20180228.1.503 | 20180228.1.503 |
| ubuntu/ring | <20190215.1. | 20190215.1. |
| debian/asterisk | 1:16.28.0~dfsg-0+deb10u4 1:16.28.0~dfsg-0+deb11u3 1:16.28.0~dfsg-0+deb11u4 1:20.6.0~dfsg+~cs6.13.40431414-2 | |
| debian/ring | <=20190215.1.f152c98~ds1-1+deb10u1<=20210112.2.b757bac~ds1-1 | 20190215.1.f152c98~ds1-1+deb10u2 20230206.0~ds2-1.1 20231201.0~ds1-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/pjsip/pjproject/security/advisories/GHSA-qcvw-h34v-c7r9
- https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html
- https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html
- https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html
- https://www.debian.org/security/2022/dsa-5285
- https://launchpad.net/bugs/cve/CVE-2021-43302
- https://github.com/pjsip/pjproject/commit/d979253c924a686fa511d705be1f3ad0c5b20337
- https://security-tracker.debian.org/tracker/CVE-2021-43302
- https://ubuntu.com/security/notices/USN-6422-1
- https://www.cve.org/CVERecord?id=CVE-2021-43302
- https://nvd.nist.gov/vuln/detail/CVE-2021-43302
- https://ubuntu.com/security/CVE-2021-43302
Frequently Asked Questions
What is the vulnerability ID for this vulnerability?
The vulnerability ID for this vulnerability is CVE-2021-43302.
What is the severity of CVE-2021-43302?
The severity of CVE-2021-43302 is critical with a severity value of 9.1.
Which software is affected by CVE-2021-43302?
The software affected by CVE-2021-43302 includes Teluu Pjsip (up to version 2.11.1), Debian Linux 9.0, Debian Linux 10.0, Debian Linux 11.0, and Ubuntu Ring (versions up to 20180228.1.503 and 20190215.1.).
What is the impact of CVE-2021-43302?
CVE-2021-43302 can allow an attacker-controlled filename to cause an out-of-bounds read, leading to potential information disclosure or denial of service.
How can CVE-2021-43302 be fixed?
To fix CVE-2021-43302, users should update to the recommended patches or versions provided by the software vendors.
- collector/nvd-api
- collector/nvd-index
- agent/type
- agent/last-modified-date
- collector/launchpad-cve
- source/Launchpad
- agent/first-publish-date
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- agent/remedy
- agent/severity
- agent/weakness
- agent/author
- agent/description
- agent/event
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/usn-cve
- source/Ubuntu
- agent/references
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/teluu
- canonical/teluu pjsip
- version/teluu pjsip/2.11.1
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- version/debian debian linux/10.0
- version/debian debian linux/11.0
- package-manager/debian
- package-manager/ubuntu