CVE-2022-23537: 
NixOS vulnerability analysis and mitigation

PJSIP, a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE, was found to have a buffer overread vulnerability when parsing specially crafted STUN messages with unknown attributes. This vulnerability (CVE-2022-23537) affects applications that use STUN including PJNATH and PJSUA-LIB in versions prior to 2.13.1. The issue was discovered and reported through Google's OSS-Fuzz program (GitHub Advisory).

The vulnerability stems from improper bounds checking when processing STUN messages containing unknown attributes. The issue occurs in the STUN message decoder functionality, where a buffer overread is possible due to incorrect handling of attribute lengths and padding. The vulnerability has been assigned a Critical severity rating with a CVSS v3.1 Base Score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) by NIST NVD (NVD).

If successfully exploited, this vulnerability could allow an attacker to read beyond the bounds of allocated memory, potentially leading to information disclosure or denial of service. The vulnerability affects applications that use STUN functionality through PJNATH and PJSUA-LIB components (GitHub Advisory).

The vulnerability has been patched in PJSIP version 2.13.1. Users are advised to upgrade to this version or later. The fix involves improving bounds checking in the STUN message decoder and proper handling of attribute lengths. The patch is available as commit d8440f4 in the master branch (GitHub Patch).