Home > Vulnerability Database > CVE-2023-28097

Mend.io Vulnerability Database

CVE-2023-28097

Date: March 15, 2023

OpenSIPS is a Session Initiation Protocol (SIP) server implementation. Prior to versions 3.1.9 and 3.2.6, a malformed SIP message containing a large Content-Length value and a specially crafted Request-URI causes a segmentation fault in OpenSIPS. This issue occurs when a large amount of shared memory using the "-m" flag was allocated to OpenSIPS, such as 10 GB of RAM. On the test system, this issue occurred when shared memory was set to "2362" or higher. This issue is fixed in versions 3.1.9 and 3.2.6. The only workaround is to guarantee that the Content-Length value of input messages is never larger than "2147483647".

Language: C

Severity Score

7.5

Related Resources (5)

Url: https://github.com/OpenSIPS/opensips/security/advisories/GHSA-c6j5-f4h4-2xrq

Url: https://github.com/OpenSIPS/opensips/commit/7cab422e2fc648f910abba34f3f0dbb3ae171ff5

Url: https://opensips.org/pub/audit-2022/opensips-audit-technical-report-full.pdf

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-28097

Url: https://www.mend.io/vulnerability-database/CVE-2023-28097

Severity Score

7.5

Weakness Type (CWE)

Integer Overflow or Wraparound

CWE-190

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2023-28097

Date: March 15, 2023

Language: C

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?