CVE-2022-24754: 
NixOS vulnerability analysis and mitigation

PJSIP, a free and open source multimedia communication library written in C language, was found to contain a stack-buffer overflow vulnerability (CVE-2022-24754) in versions prior to and including 2.12. This vulnerability specifically impacts PJSIP users who accept hashed digest credentials with data_type PJSIP_CRED_DATA_DIGEST. The issue was discovered and disclosed on March 11, 2022 (GitHub Advisory).

The vulnerability is classified as a stack-buffer overflow that occurs when processing hashed digest credentials. The CVSS v3.1 base score is rated as 9.8 CRITICAL by NVD with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, while GitHub rates it as 8.5 HIGH with vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H (NVD).

The vulnerability could potentially lead to arbitrary code execution through stack buffer overflow when processing hashed digest credentials. This affects systems that specifically use PJSIP's credential handling with data_type PJSIP_CRED_DATA_DIGEST (GitHub Advisory).

The vulnerability has been patched in version 2.12.1 and later releases. For users unable to upgrade, a workaround is available: check that the hashed digest data length must be equal to PJSIP_MD5STRLEN before passing to PJSIP. The fix is also available as commit d27f79d in the master branch (GitHub Advisory, Gentoo Advisory).