Lucene search

[email protected]CVE-2018-17281

HistorySep 24, 2018 - 10:29 p.m.

CVE-2018-17281

2018-09-2422:29:00

CWE-400

[email protected]

web.nvd.nist.gov

asterisk

cve-2018-17281

security vulnerability

res_http_websocket.so

stack consumption

http request

websocket

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.2 High

AI Score

Confidence

High

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.617 Medium

EPSS

Percentile

97.8%

JSON

There is a stack consumption vulnerability in the res_http_websocket.so module of Asterisk through 13.23.0, 14.7.x through 14.7.7, and 15.x through 15.6.0 and Certified Asterisk through 13.21-cert2. It allows an attacker to crash Asterisk via a specially crafted HTTP request to upgrade the connection to a websocket.

CPENameOperatorVersion
digium:asteriskdigium asteriskle14.7.7
digium:asteriskdigium asteriskle13.23.0
digium:asteriskdigium asteriskle15.6.0
digium:certified_asteriskdigium certified asteriskeq11.6
digium:certified_asteriskdigium certified asteriskeq13.21
digium:certified_asteriskdigium certified asteriskeq13.13
digium:certified_asteriskdigium certified asteriskeq13.8
digium:certified_asteriskdigium certified asteriskeq13.1
debian:debian_linuxdebian debian linuxeq8.0
debian:debian_linuxdebian debian linuxeq9.0

CPE	Name	Operator	Version
digium:asterisk	digium asterisk	le	14.7.7
digium:asterisk	digium asterisk	le	13.23.0
digium:asterisk	digium asterisk	le	15.6.0
digium:certified_asterisk	digium certified asterisk	eq	11.6
digium:certified_asterisk	digium certified asterisk	eq	13.21
digium:certified_asterisk	digium certified asterisk	eq	13.13
digium:certified_asterisk	digium certified asterisk	eq	13.8
digium:certified_asterisk	digium certified asterisk	eq	13.1
debian:debian_linux	debian debian linux	eq	8.0
debian:debian_linux	debian debian linux	eq	9.0