CVE-2008-3903

2008-09-0419:41:00

CWE-200

[email protected]

web.nvd.nist.gov

cve-2008-3903

asterisk open source

authentication

sip

remote attack

vulnerability

information security

6.6 Medium

AI Score

Confidence

Low

3.5 Low

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:S/C:P/I:N/A:N

0.006 Low

EPSS

Percentile

78.4%

JSON

Asterisk Open Source 1.2.x before 1.2.32, 1.4.x before 1.4.24.1, and 1.6.0.x before 1.6.0.8; Asterisk Business Edition A.x.x, B.x.x before B.2.5.8, C.1.x.x before C.1.10.5, and C.2.x.x before C.2.3.3; s800i 1.3.x before 1.3.0.2; and Trixbox PBX 2.6.1, when Digest authentication and authalwaysreject are enabled, generates different responses depending on whether a SIP username is valid, which allows remote attackers to enumerate valid usernames.

CPENameOperatorVersion
asterisk:p_b_xasterisk p b xeq1.6
trixbox:pbxtrixbox pbxeq2.6.1
asterisk:p_b_xasterisk p b xeq1.2
asterisk:p_b_xasterisk p b xeq1.4.21.1
asterisk:p_b_xasterisk p b xeq1.2.22

CPE	Name	Operator	Version
asterisk:p_b_x	asterisk p b x	eq	1.6
trixbox:pbx	trixbox pbx	eq	2.6.1
asterisk:p_b_x	asterisk p b x	eq	1.2
asterisk:p_b_x	asterisk p b x	eq	1.4.21.1
asterisk:p_b_x	asterisk p b x	eq	1.2.22