{"url":"http://public2.vulnerablecode.io/api/packages/679301?format=json","purl":"pkg:deb/debian/sofia-sip@1.12.11%2B20110422.1-2.1","type":"deb","namespace":"debian","name":"sofia-sip","version":"1.12.11+20110422.1-2.1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"1.12.11+20110422.1-2.1+deb11u2","latest_non_vulnerable_version":"1.12.11+20110422.1-2.1+deb11u2","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/101086?format=json","vulnerability_id":"VCID-7zys-jfw3-rkhf","summary":"Sofia-SIP is an open-source Session Initiation Protocol (SIP) User-Agent library. Prior to version 1.13.8, an attacker can send a message with evil sdp to FreeSWITCH, which may cause crash. This type of crash may be caused by `#define MATCH(s, m) (strncmp(s, m, n = sizeof(m) - 1) == 0)`, which will make `n` bigger and trigger out-of-bound access when `IS_NON_WS(s[n])`. Version 1.13.8 contains a patch for this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-31001","reference_id":"","reference_type":"","scores":[{"value":"0.01037","scoring_system":"epss","scoring_elements":"0.77744","published_at":"2026-06-04T12:55:00Z"},{"value":"0.01037","scoring_system":"epss","scoring_elements":"0.77772","published_at":"2026-06-05T12:55:00Z"},{"value":"0.01037","scoring_system":"epss","scoring_elements":"0.77779","published_at":"2026-06-06T12:55:00Z"},{"value":"0.01037","scoring_system":"epss","scoring_elements":"0.77769","published_at":"2026-06-07T12:55:00Z"},{"value":"0.01037","scoring_system":"epss","scoring_elements":"0.77759","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-31001"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31001","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31001"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31002","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31002"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31003","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31003"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-47516","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-47516"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22741","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22741"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016974","reference_id":"1016974","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016974"},{"reference_url":"https://security.gentoo.org/glsa/202210-18","reference_id":"GLSA-202210-18","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202210-18"},{"reference_url":"https://usn.ubuntu.com/5932-1/","reference_id":"USN-5932-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5932-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/679302?format=json","purl":"pkg:deb/debian/sofia-sip@1.12.11%2B20110422.1-2.1%2Bdeb11u2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/sofia-sip@1.12.11%252B20110422.1-2.1%252Bdeb11u2"}],"aliases":["CVE-2022-31001"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7zys-jfw3-rkhf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/101087?format=json","vulnerability_id":"VCID-ef58-vu9c-kffy","summary":"Sofia-SIP is an open-source Session Initiation Protocol (SIP) User-Agent library. Prior to version 1.13.8, an attacker can send a message with evil sdp to FreeSWITCH, which may cause a crash. This type of crash may be caused by a URL ending with `%`. Version 1.13.8 contains a patch for this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-31002","reference_id":"","reference_type":"","scores":[{"value":"0.01086","scoring_system":"epss","scoring_elements":"0.78245","published_at":"2026-06-04T12:55:00Z"},{"value":"0.01086","scoring_system":"epss","scoring_elements":"0.78271","published_at":"2026-06-05T12:55:00Z"},{"value":"0.01086","scoring_system":"epss","scoring_elements":"0.78278","published_at":"2026-06-06T12:55:00Z"},{"value":"0.01086","scoring_system":"epss","scoring_elements":"0.78268","published_at":"2026-06-07T12:55:00Z"},{"value":"0.01086","scoring_system":"epss","scoring_elements":"0.78256","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-31002"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31001","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31001"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31002","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31002"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31003","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31003"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-47516","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-47516"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22741","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22741"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016974","reference_id":"1016974","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016974"},{"reference_url":"https://github.com/freeswitch/sofia-sip/commit/51841eb53679434a386fb2dcbca925dcc48d58ba","reference_id":"51841eb53679434a386fb2dcbca925dcc48d58ba","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:41:11Z/"}],"url":"https://github.com/freeswitch/sofia-sip/commit/51841eb53679434a386fb2dcbca925dcc48d58ba"},{"reference_url":"https://www.debian.org/security/2023/dsa-5410","reference_id":"dsa-5410","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:41:11Z/"}],"url":"https://www.debian.org/security/2023/dsa-5410"},{"reference_url":"https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-g3x6-p824-x6hm","reference_id":"GHSA-g3x6-p824-x6hm","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:41:11Z/"}],"url":"https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-g3x6-p824-x6hm"},{"reference_url":"https://security.gentoo.org/glsa/202210-18","reference_id":"GLSA-202210-18","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:41:11Z/"}],"url":"https://security.gentoo.org/glsa/202210-18"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2022/09/msg00001.html","reference_id":"msg00001.html","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:41:11Z/"}],"url":"https://lists.debian.org/debian-lts-announce/2022/09/msg00001.html"},{"reference_url":"https://usn.ubuntu.com/5932-1/","reference_id":"USN-5932-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5932-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/679302?format=json","purl":"pkg:deb/debian/sofia-sip@1.12.11%2B20110422.1-2.1%2Bdeb11u2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/sofia-sip@1.12.11%252B20110422.1-2.1%252Bdeb11u2"}],"aliases":["CVE-2022-31002"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ef58-vu9c-kffy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/101090?format=json","vulnerability_id":"VCID-n84b-v1va-1fhu","summary":"Sofia-SIP is an open-source SIP User-Agent library, compliant with the IETF RFC3261 specification. In affected versions Sofia-SIP **lacks both message length and attributes length checks** when it handles STUN packets, leading to controllable heap-over-flow. For example, in stun_parse_attribute(), after we get the attribute's type and length value, the length will be used directly to copy from the heap, regardless of the message's left size. Since network users control the overflowed length, and the data is written to heap chunks later, attackers may achieve remote code execution by heap grooming or other exploitation methods. The bug was introduced 16 years ago in sofia-sip 1.12.4 (plus some patches through 12/21/2006) to in tree libs with git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@3774 d0543943-73ff-0310-b7d9-9358b9ac24b2. Users are advised to upgrade. There are no known workarounds for this vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-22741","reference_id":"","reference_type":"","scores":[{"value":"0.0148","scoring_system":"epss","scoring_elements":"0.81322","published_at":"2026-06-04T12:55:00Z"},{"value":"0.0148","scoring_system":"epss","scoring_elements":"0.81349","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0148","scoring_system":"epss","scoring_elements":"0.81352","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0148","scoring_system":"epss","scoring_elements":"0.8135","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0148","scoring_system":"epss","scoring_elements":"0.81346","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-22741"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31001","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31001"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31002","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31002"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31003","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31003"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-47516","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-47516"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22741","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22741"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029654","reference_id":"1029654","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029654"},{"reference_url":"https://github.com/freeswitch/sofia-sip/commit/da53e4fbcb138b080a75576dd49c1fff2ada2764","reference_id":"da53e4fbcb138b080a75576dd49c1fff2ada2764","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-03-10T21:02:31Z/"}],"url":"https://github.com/freeswitch/sofia-sip/commit/da53e4fbcb138b080a75576dd49c1fff2ada2764"},{"reference_url":"https://www.debian.org/security/2023/dsa-5410","reference_id":"dsa-5410","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-03-10T21:02:31Z/"}],"url":"https://www.debian.org/security/2023/dsa-5410"},{"reference_url":"https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-8599-x7rq-fr54","reference_id":"GHSA-8599-x7rq-fr54","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-03-10T21:02:31Z/"}],"url":"https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-8599-x7rq-fr54"},{"reference_url":"https://security.gentoo.org/glsa/202407-10","reference_id":"GLSA-202407-10","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202407-10"},{"reference_url":"https://usn.ubuntu.com/5932-1/","reference_id":"USN-5932-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5932-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/679302?format=json","purl":"pkg:deb/debian/sofia-sip@1.12.11%2B20110422.1-2.1%2Bdeb11u2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/sofia-sip@1.12.11%252B20110422.1-2.1%252Bdeb11u2"}],"aliases":["CVE-2023-22741"],"risk_score":4.4,"exploitability":"0.5","weighted_severity":"8.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-n84b-v1va-1fhu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/101088?format=json","vulnerability_id":"VCID-nk9s-zqx5-vkgs","summary":"Sofia-SIP is an open-source Session Initiation Protocol (SIP) User-Agent library. Prior to version 1.13.8, when parsing each line of a sdp message, `rest = record + 2` will access the memory behind `\\0` and cause an out-of-bounds write. An attacker can send a message with evil sdp to FreeSWITCH, causing a crash or more serious consequence, such as remote code execution. Version 1.13.8 contains a patch for this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-31003","reference_id":"","reference_type":"","scores":[{"value":"0.1379","scoring_system":"epss","scoring_elements":"0.94417","published_at":"2026-06-04T12:55:00Z"},{"value":"0.1379","scoring_system":"epss","scoring_elements":"0.94425","published_at":"2026-06-05T12:55:00Z"},{"value":"0.1379","scoring_system":"epss","scoring_elements":"0.94427","published_at":"2026-06-06T12:55:00Z"},{"value":"0.1379","scoring_system":"epss","scoring_elements":"0.94429","published_at":"2026-06-07T12:55:00Z"},{"value":"0.1379","scoring_system":"epss","scoring_elements":"0.9443","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-31003"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31001","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31001"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31002","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31002"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31003","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31003"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-47516","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-47516"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22741","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22741"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016974","reference_id":"1016974","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016974"},{"reference_url":"https://github.com/freeswitch/sofia-sip/commit/907f2ac0ee504c93ebfefd676b4632a3575908c9","reference_id":"907f2ac0ee504c93ebfefd676b4632a3575908c9","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:41:07Z/"}],"url":"https://github.com/freeswitch/sofia-sip/commit/907f2ac0ee504c93ebfefd676b4632a3575908c9"},{"reference_url":"https://www.debian.org/security/2023/dsa-5410","reference_id":"dsa-5410","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:41:07Z/"}],"url":"https://www.debian.org/security/2023/dsa-5410"},{"reference_url":"https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-8w5j-6g2j-pxcp","reference_id":"GHSA-8w5j-6g2j-pxcp","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:41:07Z/"}],"url":"https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-8w5j-6g2j-pxcp"},{"reference_url":"https://security.gentoo.org/glsa/202210-18","reference_id":"GLSA-202210-18","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:41:07Z/"}],"url":"https://security.gentoo.org/glsa/202210-18"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2022/09/msg00001.html","reference_id":"msg00001.html","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:41:07Z/"}],"url":"https://lists.debian.org/debian-lts-announce/2022/09/msg00001.html"},{"reference_url":"https://usn.ubuntu.com/5932-1/","reference_id":"USN-5932-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5932-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/679302?format=json","purl":"pkg:deb/debian/sofia-sip@1.12.11%2B20110422.1-2.1%2Bdeb11u2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/sofia-sip@1.12.11%252B20110422.1-2.1%252Bdeb11u2"}],"aliases":["CVE-2022-31003"],"risk_score":4.1,"exploitability":"0.5","weighted_severity":"8.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nk9s-zqx5-vkgs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/101089?format=json","vulnerability_id":"VCID-qwqc-nghe-3ka1","summary":"An issue was discovered in the libsofia-sip fork in drachtio-server before 0.8.20. It allows remote attackers to cause a denial of service (daemon crash) via a crafted UDP message that leads to a failure of the libsofia-sip-ua/tport/tport.c self assertion.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-47516","reference_id":"","reference_type":"","scores":[{"value":"0.01257","scoring_system":"epss","scoring_elements":"0.79724","published_at":"2026-06-04T12:55:00Z"},{"value":"0.01257","scoring_system":"epss","scoring_elements":"0.7975","published_at":"2026-06-05T12:55:00Z"},{"value":"0.01257","scoring_system":"epss","scoring_elements":"0.79756","published_at":"2026-06-06T12:55:00Z"},{"value":"0.01257","scoring_system":"epss","scoring_elements":"0.79751","published_at":"2026-06-07T12:55:00Z"},{"value":"0.01257","scoring_system":"epss","scoring_elements":"0.7974","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-47516"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31001","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31001"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31002","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31002"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31003","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31003"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-47516","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-47516"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22741","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22741"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031792","reference_id":"1031792","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031792"},{"reference_url":"https://github.com/davehorton/sofia-sip/commit/13b2a135287caa2d67ac6cd5155626821e25b377","reference_id":"13b2a135287caa2d67ac6cd5155626821e25b377","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-17T18:54:21Z/"}],"url":"https://github.com/davehorton/sofia-sip/commit/13b2a135287caa2d67ac6cd5155626821e25b377"},{"reference_url":"https://github.com/drachtio/drachtio-server/issues/244","reference_id":"244","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-17T18:54:21Z/"}],"url":"https://github.com/drachtio/drachtio-server/issues/244"},{"reference_url":"https://www.debian.org/security/2023/dsa-5410","reference_id":"dsa-5410","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-17T18:54:21Z/"}],"url":"https://www.debian.org/security/2023/dsa-5410"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2023/02/msg00028.html","reference_id":"msg00028.html","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-17T18:54:21Z/"}],"url":"https://lists.debian.org/debian-lts-announce/2023/02/msg00028.html"},{"reference_url":"https://usn.ubuntu.com/5932-1/","reference_id":"USN-5932-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5932-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/679302?format=json","purl":"pkg:deb/debian/sofia-sip@1.12.11%2B20110422.1-2.1%2Bdeb11u2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/sofia-sip@1.12.11%252B20110422.1-2.1%252Bdeb11u2"}],"aliases":["CVE-2022-47516"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qwqc-nghe-3ka1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/101091?format=json","vulnerability_id":"VCID-r456-aab2-1ubf","summary":"Sofia-SIP is an open-source SIP User-Agent library, compliant with the IETF RFC3261 specification. Referring to [GHSA-8599-x7rq-fr54](https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-8599-x7rq-fr54), several other potential heap-over-flow and integer-overflow in stun_parse_attr_error_code and stun_parse_attr_uint32 were found because the lack of attributes length check when Sofia-SIP handles STUN packets. The previous patch of [GHSA-8599-x7rq-fr54](https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-8599-x7rq-fr54) fixed the vulnerability when attr_type did not match the enum value, but there are also vulnerabilities in the handling of other valid cases. The OOB read and integer-overflow made by attacker may lead to crash, high consumption of memory or even other more serious consequences. These issue have been addressed in version 1.13.15. Users are advised to upgrade.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-32307","reference_id":"","reference_type":"","scores":[{"value":"0.00361","scoring_system":"epss","scoring_elements":"0.58578","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00361","scoring_system":"epss","scoring_elements":"0.58565","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00361","scoring_system":"epss","scoring_elements":"0.58579","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00361","scoring_system":"epss","scoring_elements":"0.58587","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-32307"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32307","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32307"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036847","reference_id":"1036847","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036847"},{"reference_url":"https://www.debian.org/security/2023/dsa-5431","reference_id":"dsa-5431","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-14T19:20:35Z/"}],"url":"https://www.debian.org/security/2023/dsa-5431"},{"reference_url":"https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-rm4c-ccvf-ff9c","reference_id":"GHSA-rm4c-ccvf-ff9c","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-14T19:20:35Z/"}],"url":"https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-rm4c-ccvf-ff9c"},{"reference_url":"https://security.gentoo.org/glsa/202407-10","reference_id":"GLSA-202407-10","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202407-10"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2023/06/msg00002.html","reference_id":"msg00002.html","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-14T19:20:35Z/"}],"url":"https://lists.debian.org/debian-lts-announce/2023/06/msg00002.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OY66DOQ3B7GULJTI66X5HNX5FU3P65CX/","reference_id":"OY66DOQ3B7GULJTI66X5HNX5FU3P65CX","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-14T19:20:35Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OY66DOQ3B7GULJTI66X5HNX5FU3P65CX/"},{"reference_url":"https://usn.ubuntu.com/6448-1/","reference_id":"USN-6448-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6448-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/679302?format=json","purl":"pkg:deb/debian/sofia-sip@1.12.11%2B20110422.1-2.1%2Bdeb11u2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/sofia-sip@1.12.11%252B20110422.1-2.1%252Bdeb11u2"}],"aliases":["CVE-2023-32307"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-r456-aab2-1ubf"}],"fixing_vulnerabilities":[],"risk_score":"4.4","resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/sofia-sip@1.12.11%252B20110422.1-2.1"}