CVE-2022-21723: 
NixOS vulnerability analysis and mitigation

PJSIP, a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE, was found to contain a vulnerability (CVE-2022-21723) in versions 2.11.1 and prior. The vulnerability was discovered and disclosed in January 2022, affecting all PJSIP users that accept SIP multipart (GitHub Advisory).

The vulnerability occurs when parsing an incoming SIP message that contains a malformed multipart, which can potentially cause out-of-bound read access. The issue has been assigned a CVSS v3.1 base score of 9.1 (CRITICAL) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H, indicating high severity with potential for remote exploitation (NVD).

The vulnerability affects the confidentiality and availability of the system through out-of-bound read access, which could lead to information disclosure and potential system crashes. The high CVSS score indicates significant potential impact, particularly concerning unauthorized access to sensitive information (GitHub Advisory).

A patch has been released and is available as commit 077b465 in the master branch. The vulnerability has been fixed in version 2.12 and later releases. Users are advised to upgrade to the patched version as there are no known workarounds (GitHub Advisory, Gentoo Advisory).