Skip to main content

CVE-2022-39269: CWE-319: Cleartext Transmission of Sensitive Information in pjsip pjproject

Medium
Published: Thu Oct 06 2022 (10/06/2022, 00:00:00 UTC)
Source: CVE
Vendor/Project: pjsip
Product: pjproject

Description

PJSIP is a free and open source multimedia communication library written in C. When processing certain packets, PJSIP may incorrectly switch from using SRTP media transport to using basic RTP upon SRTP restart, causing the media to be sent insecurely. The vulnerability impacts all PJSIP users that use SRTP. The patch is available as commit d2acb9a in the master branch of the project and will be included in version 2.13. Users are advised to manually patch or to upgrade. There are no known workarounds for this vulnerability.

AI-Powered Analysis

AILast updated: 06/22/2025, 16:07:58 UTC

Technical Analysis

CVE-2022-39269 is a vulnerability in the PJSIP pjproject, an open-source multimedia communication library widely used for VoIP and real-time communication applications. The vulnerability arises from improper handling of Secure Real-time Transport Protocol (SRTP) sessions. Specifically, when processing certain packets during an SRTP restart, the pjproject may incorrectly revert from using SRTP to unencrypted RTP, resulting in the transmission of media streams in cleartext. This flaw affects all versions of pjproject from 2.11 up to, but not including, 2.13, where the issue has been patched. The vulnerability is classified under CWE-319, which concerns the cleartext transmission of sensitive information. Since SRTP is designed to protect the confidentiality and integrity of voice and video streams, this fallback to RTP exposes sensitive media content to interception and eavesdropping by attackers capable of network packet capture. The vulnerability does not require user interaction or authentication to be exploited, as it is triggered by the protocol's handling of SRTP restart packets. No known exploits have been reported in the wild, but the risk remains significant due to the sensitive nature of the data transmitted. The patch is available in the pjproject master branch and will be included in version 2.13; users are advised to upgrade or manually apply the patch. No workarounds are currently known, emphasizing the importance of timely remediation.

Potential Impact

For European organizations, the impact of this vulnerability can be substantial, especially for entities relying on PJSIP-based communication systems for secure voice and video calls, such as telecommunications providers, call centers, government agencies, and enterprises with remote communication infrastructure. The exposure of unencrypted media streams can lead to confidentiality breaches, allowing attackers to intercept sensitive conversations, potentially leaking personal data, intellectual property, or classified information. This undermines trust in communication channels and may violate data protection regulations such as the GDPR, leading to legal and financial repercussions. Additionally, the integrity of communication could be compromised if attackers manipulate RTP streams, although this is less directly indicated. The availability of services is less likely to be affected directly by this vulnerability. Given the widespread use of PJSIP in various softphones, PBX systems, and embedded communication devices, the scope of affected systems is broad. The ease of exploitation is moderate since it requires network access to intercept or manipulate SRTP restart packets, which may be feasible in local networks or through compromised network infrastructure. The lack of authentication or user interaction requirements increases the risk profile. Overall, European organizations with critical communication infrastructure using vulnerable pjproject versions face a medium to high risk of data exposure and regulatory non-compliance.

Mitigation Recommendations

To mitigate this vulnerability, European organizations should prioritize upgrading pjproject to version 2.13 or later, where the patch addressing the SRTP fallback issue is included. If immediate upgrading is not feasible, applying the manual patch from the pjproject master branch is essential. Network administrators should monitor network traffic for unexpected RTP streams where SRTP is expected, using deep packet inspection tools to detect unencrypted media transmissions. Implementing strict network segmentation and access controls can reduce the risk of attackers gaining the necessary network position to exploit the vulnerability. Organizations should also audit and update their VoIP and communication system configurations to ensure SRTP is enforced and fallback to RTP is disabled or closely monitored. Regular security assessments and penetration testing focusing on VoIP infrastructure can help identify exploitation attempts. Finally, organizations should maintain up-to-date incident response plans that include scenarios involving interception of communication streams to respond swiftly to potential breaches.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
GitHub_M
Date Reserved
2022-09-02T00:00:00.000Z
Cisa Enriched
true

Threat ID: 682d9845c4522896dcbf4684

Added to database: 5/21/2025, 9:09:25 AM

Last enriched: 6/22/2025, 4:07:58 PM

Last updated: 8/13/2025, 6:04:40 PM

Views: 14

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats