CVE-2023-27596
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
OpenSIPS is a Session Initiation Protocol (SIP) server implementation. Prior to versions 3.1.8 and 3.2.5, OpenSIPS crashes when a malformed SDP body is sent multiple times to an OpenSIPS configuration that makes use of the stream_process function. This issue was discovered during coverage guided fuzzing of the function codec_delete_except_re. By abusing this vulnerability, an attacker is able to crash the server. It affects configurations containing functions that rely on the affected code, such as the function codec_delete_except_re. This issue has been fixed in version 3.1.8 and 3.2.5.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| OpenSIPS | opensips | < 3.1.8 | affected |
| OpenSIPS | opensips | >= 3.2.0, < 3.2.5 | affected |
Weaknesses
- CWE-770: CWE-770: Allocation of Resources Without Limits or Throttling
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/OpenSIPS/opensips/security/advisories/GHSA-3ghx-j39m-cw4f
- https://github.com/OpenSIPS/opensips/commit/dd051f8ed5ae3347fb1d556ced3c97822c9d8450
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
- https://github.com/OpenSIPS/opensips/security/advisories/GHSA-3ghx-j39m-cw4f
- https://github.com/OpenSIPS/opensips/commit/dd051f8ed5ae3347fb1d556ced3c97822c9d8450
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.