Unrated severityNVD Advisory· Published Mar 15, 2023· Updated Feb 25, 2025
OpenSIPS has vulnerability in the Content-Length Parser
CVE-2023-28097
Description
OpenSIPS is a Session Initiation Protocol (SIP) server implementation. Prior to versions 3.1.9 and 3.2.6, a malformed SIP message containing a large _Content-Length_ value and a specially crafted Request-URI causes a segmentation fault in OpenSIPS. This issue occurs when a large amount of shared memory using the -m flag was allocated to OpenSIPS, such as 10 GB of RAM. On the test system, this issue occurred when shared memory was set to 2362 or higher. This issue is fixed in versions 3.1.9 and 3.2.6. The only workaround is to guarantee that the Content-Length value of input messages is never larger than 2147483647.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/OpenSIPS/opensips/commit/7cab422e2fc648f910abba34f3f0dbb3ae171ff5mitrex_refsource_MISC
- github.com/OpenSIPS/opensips/security/advisories/GHSA-c6j5-f4h4-2xrqmitrex_refsource_CONFIRM
- opensips.org/pub/audit-2022/opensips-audit-technical-report-full.pdfmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.