CVE-2021-43302: 
NixOS vulnerability analysis and mitigation

A read out-of-bounds vulnerability (CVE-2021-43302) was discovered in the PJSUA API when calling pjsuarecordercreate function. The vulnerability affects PJSIP versions 2.11.1 and below, where an attacker-controlled 'filename' argument may cause an out-of-bounds read when the filename is shorter than 4 characters (PJSIP Advisory, NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 9.1 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H. The issue stems from insufficient input validation in the pjsuarecordercreate function, where filenames shorter than 4 characters can trigger an out-of-bounds read condition. The vulnerability is classified as CWE-125 (Out-of-bounds Read) (NVD).

The vulnerability could allow an attacker to cause information disclosure through out-of-bounds read operations when processing specially crafted filenames. This could potentially lead to unauthorized access to sensitive information or system crash, resulting in a denial of service condition (PJSIP Advisory).

The vulnerability has been fixed in PJSIP version 2.12 and later. Users are recommended to upgrade to the patched version. As a workaround, applications should validate the filename length before calling the pjsuarecordercreate API (PJSIP Advisory).