Ubuntu update for ring
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 20 |
| CVE-ID | CVE-2021-37706 CVE-2021-43299 CVE-2021-43300 CVE-2021-43301 CVE-2021-43302 CVE-2021-43303 CVE-2021-43804 CVE-2021-43845 CVE-2022-21722 CVE-2022-21723 CVE-2022-23537 CVE-2022-23547 CVE-2022-23608 CVE-2022-24754 CVE-2022-24763 CVE-2022-24764 CVE-2022-24793 CVE-2022-31031 CVE-2022-39244 CVE-2023-27585 |
| CWE-ID | CWE-190 CWE-121 CWE-125 CWE-119 CWE-122 CWE-416 CWE-835 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Ubuntu Operating systems & Components / Operating system jami-daemon (Ubuntu package) Operating systems & Components / Operating system package or component jami (Ubuntu package) Operating systems & Components / Operating system package or component |
| Vendor | Canonical Ltd. |
Security Bulletin
This security bulletin contains information about 20 vulnerabilities.
1) Integer overflow
EUVDB-ID: #VU60857
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2021-37706
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow within STUN message that contains an ERROR-CODE attribute. A remote attacker can pass specially crafted data to the application, trigger integer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package ring to the latest version.
Vulnerable software versionsUbuntu: 23.10
jami-daemon (Ubuntu package): before 20230206.0~ds2-1.3ubuntu0.1
jami (Ubuntu package): before 20230206.0~ds2-1.3ubuntu0.1
CPE2.3- cpe:2.3:o:canonical:ubuntu:23.10:*:*:*:*:*:*:*
- cpe:2.3:a:canonical:jami-daemon_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:a:canonical:jami_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-6422-2
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Stack-based buffer overflow
EUVDB-ID: #VU60951
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2021-43299
CWE-ID:
CWE-121 - Stack-based buffer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in PJSUA API when calling pjsua_player_create. A remote unauthenticated attacker can trigger stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package ring to the latest version.
Vulnerable software versionsUbuntu: 23.10
jami-daemon (Ubuntu package): before 20230206.0~ds2-1.3ubuntu0.1
jami (Ubuntu package): before 20230206.0~ds2-1.3ubuntu0.1
CPE2.3- cpe:2.3:o:canonical:ubuntu:23.10:*:*:*:*:*:*:*
- cpe:2.3:a:canonical:jami-daemon_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:a:canonical:jami_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-6422-2
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Stack-based buffer overflow
EUVDB-ID: #VU60953
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2021-43300
CWE-ID:
CWE-121 - Stack-based buffer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in PJSUA API when calling pjsua_recorder_create. A remote unauthenticated attacker can trigger stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package ring to the latest version.
Vulnerable software versionsUbuntu: 23.10
jami-daemon (Ubuntu package): before 20230206.0~ds2-1.3ubuntu0.1
jami (Ubuntu package): before 20230206.0~ds2-1.3ubuntu0.1
CPE2.3- cpe:2.3:o:canonical:ubuntu:23.10:*:*:*:*:*:*:*
- cpe:2.3:a:canonical:jami-daemon_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:a:canonical:jami_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-6422-2
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Stack-based buffer overflow
EUVDB-ID: #VU60954
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2021-43301
CWE-ID:
CWE-121 - Stack-based buffer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in PJSUA API when calling pjsua_playlist_create. A remote unauthenticated attacker can trigger stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package ring to the latest version.
Vulnerable software versionsUbuntu: 23.10
jami-daemon (Ubuntu package): before 20230206.0~ds2-1.3ubuntu0.1
jami (Ubuntu package): before 20230206.0~ds2-1.3ubuntu0.1
CPE2.3- cpe:2.3:o:canonical:ubuntu:23.10:*:*:*:*:*:*:*
- cpe:2.3:a:canonical:jami-daemon_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:a:canonical:jami_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-6422-2
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Out-of-bounds read
EUVDB-ID: #VU60955
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-43302
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary condition in PJSUA API when calling pjsua_recorder_create. A remote attacker can trigger out-of-bounds read error and cause a denial of service condition on the system.
MitigationUpdate the affected package ring to the latest version.
Vulnerable software versionsUbuntu: 23.10
jami-daemon (Ubuntu package): before 20230206.0~ds2-1.3ubuntu0.1
jami (Ubuntu package): before 20230206.0~ds2-1.3ubuntu0.1
CPE2.3- cpe:2.3:o:canonical:ubuntu:23.10:*:*:*:*:*:*:*
- cpe:2.3:a:canonical:jami-daemon_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:a:canonical:jami_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-6422-2
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Buffer overflow
EUVDB-ID: #VU60956
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2021-43303
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in PJSUA API when calling pjsua_call_dump. A remote attacker can trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package ring to the latest version.
Vulnerable software versionsUbuntu: 23.10
jami-daemon (Ubuntu package): before 20230206.0~ds2-1.3ubuntu0.1
jami (Ubuntu package): before 20230206.0~ds2-1.3ubuntu0.1
CPE2.3- cpe:2.3:o:canonical:ubuntu:23.10:*:*:*:*:*:*:*
- cpe:2.3:a:canonical:jami-daemon_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:a:canonical:jami_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-6422-2
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Out-of-bounds read
EUVDB-ID: #VU60859
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-43804
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition when parsing RTCP BYE message. A remote attacker can trigger out-of-bounds read error and read contents of memory on the system.
MitigationUpdate the affected package ring to the latest version.
Vulnerable software versionsUbuntu: 23.10
jami-daemon (Ubuntu package): before 20230206.0~ds2-1.3ubuntu0.1
jami (Ubuntu package): before 20230206.0~ds2-1.3ubuntu0.1
CPE2.3- cpe:2.3:o:canonical:ubuntu:23.10:*:*:*:*:*:*:*
- cpe:2.3:a:canonical:jami-daemon_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:a:canonical:jami_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-6422-2
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Out-of-bounds read
EUVDB-ID: #VU60856
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-43845
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within RTCP XR message. A remote attacker can trigger out-of-bounds read error and read contents of memory on the system.
MitigationUpdate the affected package ring to the latest version.
Vulnerable software versionsUbuntu: 23.10
jami-daemon (Ubuntu package): before 20230206.0~ds2-1.3ubuntu0.1
jami (Ubuntu package): before 20230206.0~ds2-1.3ubuntu0.1
CPE2.3- cpe:2.3:o:canonical:ubuntu:23.10:*:*:*:*:*:*:*
- cpe:2.3:a:canonical:jami-daemon_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:a:canonical:jami_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-6422-2
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Out-of-bounds read
EUVDB-ID: #VU60860
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-21722
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition during RTP/RTCP parsing. A remote attacker can trigger out-of-bounds read error and read contents of memory on the system.
MitigationUpdate the affected package ring to the latest version.
Vulnerable software versionsUbuntu: 23.10
jami-daemon (Ubuntu package): before 20230206.0~ds2-1.3ubuntu0.1
jami (Ubuntu package): before 20230206.0~ds2-1.3ubuntu0.1
CPE2.3- cpe:2.3:o:canonical:ubuntu:23.10:*:*:*:*:*:*:*
- cpe:2.3:a:canonical:jami-daemon_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:a:canonical:jami_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-6422-2
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Out-of-bounds read
EUVDB-ID: #VU60861
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-21723
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition during SIP message parsing. A remote attacker can trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system.
MitigationUpdate the affected package ring to the latest version.
Vulnerable software versionsUbuntu: 23.10
jami-daemon (Ubuntu package): before 20230206.0~ds2-1.3ubuntu0.1
jami (Ubuntu package): before 20230206.0~ds2-1.3ubuntu0.1
CPE2.3- cpe:2.3:o:canonical:ubuntu:23.10:*:*:*:*:*:*:*
- cpe:2.3:a:canonical:jami-daemon_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:a:canonical:jami_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-6422-2
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Heap-based buffer overflow
EUVDB-ID: #VU70432
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2022-23537
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when decoding STUN messages. A remote attacker can pass a specially crafted STUN message to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package ring to the latest version.
Vulnerable software versionsUbuntu: 23.10
jami-daemon (Ubuntu package): before 20230206.0~ds2-1.3ubuntu0.1
jami (Ubuntu package): before 20230206.0~ds2-1.3ubuntu0.1
CPE2.3- cpe:2.3:o:canonical:ubuntu:23.10:*:*:*:*:*:*:*
- cpe:2.3:a:canonical:jami-daemon_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:a:canonical:jami_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-6422-2
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Heap-based buffer overflow
EUVDB-ID: #VU70479
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2022-23547
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when decoding STUN messages. A remote attacker can pass a specially crafted STUN message to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package ring to the latest version.
Vulnerable software versionsUbuntu: 23.10
jami-daemon (Ubuntu package): before 20230206.0~ds2-1.3ubuntu0.1
jami (Ubuntu package): before 20230206.0~ds2-1.3ubuntu0.1
CPE2.3- cpe:2.3:o:canonical:ubuntu:23.10:*:*:*:*:*:*:*
- cpe:2.3:a:canonical:jami-daemon_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:a:canonical:jami_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-6422-2
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Use-after-free
EUVDB-ID: #VU60862
Risk: High
CVSSv4.0: 7.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2022-23608
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in dialog set. A remote attacker can send a specially crafted request to cause a dialog set to be registered in the hash table multiple times and results in an endless loop condition.
MitigationUpdate the affected package ring to the latest version.
Vulnerable software versionsUbuntu: 23.10
jami-daemon (Ubuntu package): before 20230206.0~ds2-1.3ubuntu0.1
jami (Ubuntu package): before 20230206.0~ds2-1.3ubuntu0.1
CPE2.3- cpe:2.3:o:canonical:ubuntu:23.10:*:*:*:*:*:*:*
- cpe:2.3:a:canonical:jami-daemon_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:a:canonical:jami_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-6422-2
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Buffer overflow
EUVDB-ID: #VU61377
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2022-24754
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the pjsip_auth_create_digest(). A remote attacker can trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package ring to the latest version.
Vulnerable software versionsUbuntu: 23.10
jami-daemon (Ubuntu package): before 20230206.0~ds2-1.3ubuntu0.1
jami (Ubuntu package): before 20230206.0~ds2-1.3ubuntu0.1
CPE2.3- cpe:2.3:o:canonical:ubuntu:23.10:*:*:*:*:*:*:*
- cpe:2.3:a:canonical:jami-daemon_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:a:canonical:jami_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-6422-2
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Infinite loop
EUVDB-ID: #VU63094
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-24763
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop within XML parsing. A remote attacker can consume all available system resources and cause denial of service conditions.
MitigationUpdate the affected package ring to the latest version.
Vulnerable software versionsUbuntu: 23.10
jami-daemon (Ubuntu package): before 20230206.0~ds2-1.3ubuntu0.1
jami (Ubuntu package): before 20230206.0~ds2-1.3ubuntu0.1
CPE2.3- cpe:2.3:o:canonical:ubuntu:23.10:*:*:*:*:*:*:*
- cpe:2.3:a:canonical:jami-daemon_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:a:canonical:jami_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-6422-2
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
16) Stack-based buffer overflow
EUVDB-ID: #VU63096
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2022-24764
CWE-ID:
CWE-121 - Stack-based buffer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in "pjmedia_sdp_print()" and "pjmedia_sdp_media_print()". A remote unauthenticated attacker can trigger stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package ring to the latest version.
Vulnerable software versionsUbuntu: 23.10
jami-daemon (Ubuntu package): before 20230206.0~ds2-1.3ubuntu0.1
jami (Ubuntu package): before 20230206.0~ds2-1.3ubuntu0.1
CPE2.3- cpe:2.3:o:canonical:ubuntu:23.10:*:*:*:*:*:*:*
- cpe:2.3:a:canonical:jami-daemon_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:a:canonical:jami_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-6422-2
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
17) Heap-based buffer overflow
EUVDB-ID: #VU63102
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2022-24793
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when parsing DNS packets. A remote attacker can pass specially crafted data to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package ring to the latest version.
Vulnerable software versionsUbuntu: 23.10
jami-daemon (Ubuntu package): before 20230206.0~ds2-1.3ubuntu0.1
jami (Ubuntu package): before 20230206.0~ds2-1.3ubuntu0.1
CPE2.3- cpe:2.3:o:canonical:ubuntu:23.10:*:*:*:*:*:*:*
- cpe:2.3:a:canonical:jami-daemon_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:a:canonical:jami_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-6422-2
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
18) Stack-based buffer overflow
EUVDB-ID: #VU69571
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2022-31031
CWE-ID:
CWE-121 - Stack-based buffer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when parsing message as a STUN client. A remote unauthenticated attacker can trigger stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package ring to the latest version.
Vulnerable software versionsUbuntu: 23.10
jami-daemon (Ubuntu package): before 20230206.0~ds2-1.3ubuntu0.1
jami (Ubuntu package): before 20230206.0~ds2-1.3ubuntu0.1
CPE2.3- cpe:2.3:o:canonical:ubuntu:23.10:*:*:*:*:*:*:*
- cpe:2.3:a:canonical:jami-daemon_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:a:canonical:jami_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-6422-2
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
19) Buffer overflow
EUVDB-ID: #VU69270
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2022-39244
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within PJSIP parser, PJMEDIA RTP decoder, and PJMEDIA SDP parser. A remote attacker can send specially crafted data to the application, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package ring to the latest version.
Vulnerable software versionsUbuntu: 23.10
jami-daemon (Ubuntu package): before 20230206.0~ds2-1.3ubuntu0.1
jami (Ubuntu package): before 20230206.0~ds2-1.3ubuntu0.1
CPE2.3- cpe:2.3:o:canonical:ubuntu:23.10:*:*:*:*:*:*:*
- cpe:2.3:a:canonical:jami-daemon_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:a:canonical:jami_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-6422-2
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
20) Buffer overflow
EUVDB-ID: #VU77708
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-27585
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error within PJSIP DNS resolver. A remote attacker can send a specially crafted DNS request to the application, trigger memory corruption and perform a denial of service (DoS) attack.
Update the affected package ring to the latest version.
Vulnerable software versionsUbuntu: 23.10
jami-daemon (Ubuntu package): before 20230206.0~ds2-1.3ubuntu0.1
jami (Ubuntu package): before 20230206.0~ds2-1.3ubuntu0.1
CPE2.3- cpe:2.3:o:canonical:ubuntu:23.10:*:*:*:*:*:*:*
- cpe:2.3:a:canonical:jami-daemon_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:a:canonical:jami_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-6422-2
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
