Search for vulnerabilities
Vulnerability details: VCID-vy2p-vaj9-kbgn
Vulnerability ID VCID-vy2p-vaj9-kbgn
Aliases CVE-2022-31031
Summary PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In versions prior to and including 2.12.1 a stack buffer overflow vulnerability affects PJSIP users that use STUN in their applications, either by: setting a STUN server in their account/media config in PJSUA/PJSUA2 level, or directly using `pjlib-util/stun_simple` API. A patch is available in commit 450baca which should be included in the next release. There are no known workarounds for this issue.
Status Published
Exploitability 0.5
Weighted Severity 8.8
Risk 4.4
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
System Score Found at
epss 0.00558 https://api.first.org/data/v1/epss?cve=CVE-2022-31031
epss 0.00558 https://api.first.org/data/v1/epss?cve=CVE-2022-31031
epss 0.00558 https://api.first.org/data/v1/epss?cve=CVE-2022-31031
epss 0.00558 https://api.first.org/data/v1/epss?cve=CVE-2022-31031
epss 0.00558 https://api.first.org/data/v1/epss?cve=CVE-2022-31031
epss 0.00558 https://api.first.org/data/v1/epss?cve=CVE-2022-31031
epss 0.00558 https://api.first.org/data/v1/epss?cve=CVE-2022-31031
epss 0.00558 https://api.first.org/data/v1/epss?cve=CVE-2022-31031
epss 0.00558 https://api.first.org/data/v1/epss?cve=CVE-2022-31031
epss 0.00558 https://api.first.org/data/v1/epss?cve=CVE-2022-31031
epss 0.00558 https://api.first.org/data/v1/epss?cve=CVE-2022-31031
epss 0.00558 https://api.first.org/data/v1/epss?cve=CVE-2022-31031
epss 0.00558 https://api.first.org/data/v1/epss?cve=CVE-2022-31031
epss 0.00558 https://api.first.org/data/v1/epss?cve=CVE-2022-31031
epss 0.00558 https://api.first.org/data/v1/epss?cve=CVE-2022-31031
epss 0.00558 https://api.first.org/data/v1/epss?cve=CVE-2022-31031
epss 0.00558 https://api.first.org/data/v1/epss?cve=CVE-2022-31031
cvssv3.1 9.8 https://github.com/pjsip/pjproject/commit/450baca94f475345542c6953832650c390889202
ssvc Track https://github.com/pjsip/pjproject/commit/450baca94f475345542c6953832650c390889202
cvssv3.1 9.8 https://github.com/pjsip/pjproject/security/advisories/GHSA-26j7-ww69-c4qj
ssvc Track https://github.com/pjsip/pjproject/security/advisories/GHSA-26j7-ww69-c4qj
cvssv3.1 9.8 https://lists.debian.org/debian-lts-announce/2023/02/msg00029.html
ssvc Track https://lists.debian.org/debian-lts-announce/2023/02/msg00029.html
cvssv3.1 9.8 https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html
ssvc Track https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html
cvssv2 6.8 https://nvd.nist.gov/vuln/detail/CVE-2022-31031
cvssv3.1 9.8 https://nvd.nist.gov/vuln/detail/CVE-2022-31031
cvssv3.1 9.8 https://security.gentoo.org/glsa/202210-37
ssvc Track https://security.gentoo.org/glsa/202210-37
cvssv3.1 9.8 https://www.debian.org/security/2023/dsa-5358
ssvc Track https://www.debian.org/security/2023/dsa-5358
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2022-31031
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23537
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23547
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31031
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37325
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39244
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39269
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42705
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42706
1017004 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1017004
202210-37 https://security.gentoo.org/glsa/202210-37
450baca94f475345542c6953832650c390889202 https://github.com/pjsip/pjproject/commit/450baca94f475345542c6953832650c390889202
cpe:2.3:a:teluu:pjsip:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:teluu:pjsip:*:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
CVE-2022-31031 https://nvd.nist.gov/vuln/detail/CVE-2022-31031
dsa-5358 https://www.debian.org/security/2023/dsa-5358
GHSA-26j7-ww69-c4qj https://github.com/pjsip/pjproject/security/advisories/GHSA-26j7-ww69-c4qj
msg00029.html https://lists.debian.org/debian-lts-announce/2023/02/msg00029.html
msg00038.html https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html
USN-6422-1 https://usn.ubuntu.com/6422-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/pjsip/pjproject/commit/450baca94f475345542c6953832650c390889202
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:49:22Z/ Found at https://github.com/pjsip/pjproject/commit/450baca94f475345542c6953832650c390889202
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/pjsip/pjproject/security/advisories/GHSA-26j7-ww69-c4qj
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:49:22Z/ Found at https://github.com/pjsip/pjproject/security/advisories/GHSA-26j7-ww69-c4qj
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://lists.debian.org/debian-lts-announce/2023/02/msg00029.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:49:22Z/ Found at https://lists.debian.org/debian-lts-announce/2023/02/msg00029.html
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:49:22Z/ Found at https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P Found at https://nvd.nist.gov/vuln/detail/CVE-2022-31031
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2022-31031
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://security.gentoo.org/glsa/202210-37
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:49:22Z/ Found at https://security.gentoo.org/glsa/202210-37
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://www.debian.org/security/2023/dsa-5358
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:49:22Z/ Found at https://www.debian.org/security/2023/dsa-5358
Exploit Prediction Scoring System (EPSS)
Percentile 0.67171
EPSS Score 0.00558
Published At July 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T08:32:29.736205+00:00 Alpine Linux Importer Import https://secdb.alpinelinux.org/v3.18/main.json 37.0.0