Vulnerability Description
An issue was discovered in Teluu pjproject (pjlib and pjlib-util) in PJSIP before 2.7.1. Parsing the numeric header fields in a SIP message (like cseq, ttl, port, etc.) all had the potential to overflow, either causing unintended values to be captured or, if the values were subsequently converted back to strings, a buffer overrun. This will lead to a potential exploit using carefully crafted invalid values.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Teluu | Pjsip | < 2.7.1 |
| Debian | Debian Linux | 9.0 |
Related Weaknesses (CWE)
References
- https://trac.pjsip.org/repos/milestone/release-2.7.1Release NotesVendor Advisory
- https://trac.pjsip.org/repos/ticket/2056Vendor Advisory
- https://www.debian.org/security/2018/dsa-4170Third Party Advisory
- https://trac.pjsip.org/repos/milestone/release-2.7.1Release NotesVendor Advisory
- https://trac.pjsip.org/repos/ticket/2056Vendor Advisory
- https://www.debian.org/security/2018/dsa-4170Third Party Advisory
FAQ
What is CVE-2017-16872?
CVE-2017-16872 is a vulnerability with a CVSS score of 9.8 (CRITICAL). An issue was discovered in Teluu pjproject (pjlib and pjlib-util) in PJSIP before 2.7.1. Parsing the numeric header fields in a SIP message (like cseq, ttl, port, etc.) all had the potential to overfl...
How severe is CVE-2017-16872?
CVE-2017-16872 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2017-16872?
Check the references section above for vendor advisories and patch information. Affected products include: Teluu Pjsip, Debian Debian Linux.