CVE-2023-28095

OpenSIPS has vulnerability in the building the local negative replies

CVSS 7.5 HIGHEPSS 1.0%CWE-20

Vexday Risk Score

21Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 7.5EPSS 1.0%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

15 Mar 2023Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

OpenSIPS is a Session Initiation Protocol (SIP) server implementation. Versions prior to 3.1.7 and 3.2.4 have a potential issue in `msg_translator.c:2628` which might lead to a server crash. This issue was found while fuzzing the function `build_res_buf_from_sip_req` but could not be reproduced against a running instance of OpenSIPS. This issue could not be exploited against a running instance of OpenSIPS since no public function was found to make use of this vulnerable code. Even in the case of exploitation through unknown vectors, it is highly unlikely that this issue would lead to anything other than Denial of Service. This issue has been fixed in versions 3.1.7 and 3.2.4.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

OpenSIPS · opensips

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/OpenSIPS/opensips/commit/9cf3dd3398719dd91207495f76d7726701c5145c https://github.com/OpenSIPS/opensips/security/advisories/GHSA-7pf3-24qg-8v9h https://opensips.org/pub/audit-2022/opensips-audit-technical-report-full.pdf