Lucene search

[email protected]NVD:CVE-2018-17281

HistorySep 24, 2018 - 10:29 p.m.

CVE-2018-17281

2018-09-2422:29:01

CWE-400

[email protected]

web.nvd.nist.gov

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.659 Medium

EPSS

Percentile

97.9%

JSON

There is a stack consumption vulnerability in the res_http_websocket.so module of Asterisk through 13.23.0, 14.7.x through 14.7.7, and 15.x through 15.6.0 and Certified Asterisk through 13.21-cert2. It allows an attacker to crash Asterisk via a specially crafted HTTP request to upgrade the connection to a websocket.

Affected configurations

NVD

Node

digiumasteriskRange13.0.0–13.23.0lts

digiumasteriskRange14.0.0–14.7.7

digiumasteriskRange15.0.0–15.6.0standard

Node

digiumcertified_asteriskMatch11.6cert12lts

digiumcertified_asteriskMatch11.6cert13lts

digiumcertified_asteriskMatch11.6cert14lts

digiumcertified_asteriskMatch11.6cert15lts

digiumcertified_asteriskMatch11.6cert16lts

digiumcertified_asteriskMatch11.6cert17lts

digiumcertified_asteriskMatch11.6cert18lts

digiumcertified_asteriskMatch13.1cert3lts

digiumcertified_asteriskMatch13.1cert4lts

digiumcertified_asteriskMatch13.1cert5lts

digiumcertified_asteriskMatch13.1cert6lts

digiumcertified_asteriskMatch13.1cert7lts

digiumcertified_asteriskMatch13.1cert8lts

digiumcertified_asteriskMatch13.8cert1lts

digiumcertified_asteriskMatch13.8cert2lts

digiumcertified_asteriskMatch13.8cert3lts

digiumcertified_asteriskMatch13.8cert4lts

digiumcertified_asteriskMatch13.13cert1lts

digiumcertified_asteriskMatch13.13cert2lts

digiumcertified_asteriskMatch13.13cert3lts

digiumcertified_asteriskMatch13.13cert4lts

digiumcertified_asteriskMatch13.13cert5lts

digiumcertified_asteriskMatch13.13cert6lts

digiumcertified_asteriskMatch13.13cert7lts

digiumcertified_asteriskMatch13.13cert8lts

digiumcertified_asteriskMatch13.13cert9lts

digiumcertified_asteriskMatch13.21cert1lts

digiumcertified_asteriskMatch13.21cert2lts

Node

debiandebian_linuxMatch8.0

debiandebian_linuxMatch9.0

References

downloads.asterisk.org/pub/security/AST-2018-009.html

packetstormsecurity.com/files/149453/Asterisk-Project-Security-Advisory-AST-2018-009.html

seclists.org/fulldisclosure/2018/Sep/31

www.securityfocus.com/bid/105389

www.securitytracker.com/id/1041694

issues.asterisk.org/jira/browse/ASTERISK-28013

lists.debian.org/debian-lts-announce/2018/09/msg00034.html

seclists.org/bugtraq/2018/Sep/53

security.gentoo.org/glsa/201811-11

www.debian.org/security/2018/dsa-4320

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.659 Medium

EPSS

Percentile

97.9%

JSON

Related for NVD:CVE-2018-17281

nessus5 cvelist1 checkpoint_advisories1 osv3 debian2 freebsd1 prion1 openvas3 ubuntucve1 debiancve1 cve1 gentoo1