Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2023-27585

Date: March 14, 2023

PJSIP is a free and open source multimedia communication library written in C. A buffer overflow vulnerability in versions 2.13 and prior affects applications that use PJSIP DNS resolver. It doesn't affect PJSIP users who do not utilise PJSIP DNS resolver. This vulnerability is related to CVE-2022-24793. The difference is that this issue is in parsing the query record `parse_query()`, while the issue in CVE-2022-24793 is in `parse_rr()`. A patch is available as commit `d1c5e4d` in the `master` branch. A workaround is to disable DNS resolution in PJSIP config (by setting `nameserver_count` to zero) or use an external resolver implementation instead.

Language: C

Severity Score

Related Resources (10)

https://github.com/pjsip/pjproject/security/advisories/GHSA-p6g5-v97c-w5q4
https://nvd.nist.gov/vuln/detail/CVE-2023-27585
https://github.com/pjsip/pjproject/commit/d1c5e4da5bae7f220bc30719888bb389c905c0c5
https://www.pjsip.org/pjlib-util/docs/html/group__PJ__DNS__RESOLVER.htm
https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html
https://www.debian.org/security/2023/dsa-5438
https://security-tracker.debian.org/tracker/CVE-2023-27585
https://github.com/pjsip/pjproject/security/advisories/GHSA-q9cp-8wcq-7pfr
https://lists.debian.org/debian-lts-announce/2023/04/msg00020.html
https://www.mend.io/vulnerability-database/CVE-2023-27585

Severity Score

Weakness Type (CWE)

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

CWE-120

Heap-based Buffer Overflow

CWE-122

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): NONE
Integrity (I): NONE
Availability (A): HIGH

Do you need more information?

Contact Us