high
7.5
CWE
122 190 787
Advisory Published
CVE Published
Updated

CVE-2023-32307: heap-over-flow and integer-overflow in sofia-sip

First published: Fri May 26 2023(Updated: )

Sofia-SIP is an open-source SIP User-Agent library, compliant with the IETF RFC3261 specification. Referring to [GHSA-8599-x7rq-fr54](https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-8599-x7rq-fr54), several other potential heap-over-flow and integer-overflow in stun_parse_attr_error_code and stun_parse_attr_uint32 were found because the lack of attributes length check when Sofia-SIP handles STUN packets. The previous patch of [GHSA-8599-x7rq-fr54](https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-8599-x7rq-fr54) fixed the vulnerability when attr_type did not match the enum value, but there are also vulnerabilities in the handling of other valid cases. The OOB read and integer-overflow made by attacker may lead to crash, high consumption of memory or even other more serious consequences. These issue have been addressed in version 1.13.15. Users are advised to upgrade.

Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
ubuntu/sofia-sip<1.12.11+20110422.1+1
1.12.11+20110422.1+1
ubuntu/sofia-sip<1.12.11+20110422.1-2.1+
1.12.11+20110422.1-2.1+
ubuntu/sofia-sip<1.12.11+20110422.1-2.1+
1.12.11+20110422.1-2.1+
ubuntu/sofia-sip<1.12.11+20110422.1-2.1+
1.12.11+20110422.1-2.1+
ubuntu/sofia-sip<1.12.11+20110422.1+1
1.12.11+20110422.1+1
ubuntu/sofia-sip<1.12.11+20110422.1+1
1.12.11+20110422.1+1
ubuntu/sofia-sip<1.12.11+20110422.1-2.1+
1.12.11+20110422.1-2.1+
debian/sofia-sip<=1.12.11+20110422.1-2.1
1.12.11+20110422.1-2.1+deb10u4
1.12.11+20110422.1-2.1+deb11u2
1.12.11+20110422.1+1e14eea~dfsg-6
SignalWire Sofia-SIP<1.13.15
Debian Debian Linux=10.0

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

  • What is CVE-2023-32307?

    CVE-2023-32307 is a vulnerability in the Sofia-SIP open-source SIP User-Agent library that can cause heap overflow and integer overflow issues.

  • How severe is CVE-2023-32307?

    CVE-2023-32307 has a severity rating of 7.5, which is considered high.

  • What is the affected software for CVE-2023-32307?

    The affected software for CVE-2023-32307 includes Sofia-SIP version 1.12.11+20110422.1-2.1+deb10u4, 1.12.11+20110422.1-2.1+deb11u2, 1.12.11+20110422.1+1e14eea~dfsg-6, Signalwire Sofia-sip version up to 1.13.15, and Debian Debian Linux version 10.0.

  • How do I fix CVE-2023-32307?

    To fix CVE-2023-32307, you should update the Sofia-SIP library to a version that includes the necessary patches or apply the recommended fixes provided by the software vendor.

  • Where can I find more information about CVE-2023-32307?

    More information about CVE-2023-32307 can be found in the [GitHub advisory](https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-rm4c-ccvf-ff9c), the [Debian security announcement](https://lists.debian.org/debian-lts-announce/2023/06/msg00002.html), and the [related GitHub pull request](https://github.com/freeswitch/sofia-sip/pull/214).

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203