Search...

Debian Security Advisory DSA 3933-1 (pjproject - security update)

2017-08-10T00:00:00

ID OPENVAS:1361412562310703933
Type openvas
Reporter Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net
Modified 2019-03-18T00:00:00

Description

Two vulnerabilities were found in the PJSIP/PJProject communication library, which may result in denial of service.

                                        
                                            ###############################################################################
# OpenVAS Vulnerability Test
# $Id: deb_3933.nasl 14275 2019-03-18 14:39:45Z cfischer $
#
# Auto-generated from advisory DSA 3933-1 using nvtgen 1.0
# Script version: 1.0
#
# Author:
# Greenbone Networks
#
# Copyright:
# Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net
# Text descriptions are largely excerpted from the referenced
# advisory, and are Copyright (c) the respective author(s)
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.703933");
  script_version("$Revision: 14275 $");
  script_cve_id("CVE-2017-9359", "CVE-2017-9372");
  script_name("Debian Security Advisory DSA 3933-1 (pjproject - security update)");
  script_tag(name:"last_modification", value:"$Date: 2019-03-18 15:39:45 +0100 (Mon, 18 Mar 2019) $");
  script_tag(name:"creation_date", value:"2017-08-10 00:00:00 +0200 (Thu, 10 Aug 2017)");
  script_tag(name:"cvss_base", value:"5.0");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_tag(name:"solution_type", value:"VendorFix");
  script_tag(name:"qod_type", value:"package");

  script_xref(name:"URL", value:"http://www.debian.org/security/2017/dsa-3933.html");

  script_category(ACT_GATHER_INFO);

  script_copyright("Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net");
  script_family("Debian Local Security Checks");
  script_dependencies("gather-package-list.nasl");
  script_mandatory_keys("ssh/login/debian_linux", "ssh/login/packages", re:"ssh/login/release=DEB8");
  script_tag(name:"affected", value:"pjproject on Debian Linux");
  script_tag(name:"solution", value:"For the oldstable distribution (jessie), these problems have been fixed
in version 2.1.0.0.ast20130823-1+deb8u1.

For the stable distribution (stretch), these problems had been fixed
prior to the initial release.

We recommend that you upgrade your pjproject packages.");
  script_tag(name:"summary", value:"Two vulnerabilities were found in the PJSIP/PJProject communication
library, which may result in denial of service.");
  script_tag(name:"vuldetect", value:"This check tests the installed software version using the apt package manager.");

  exit(0);
}

include("revisions-lib.inc");
include("pkg-lib-deb.inc");

res = "";
report = "";
if((res = isdpkgvuln(pkg:"libpj2", ver:"2.1.0.0.ast20130823-1+deb8u1", rls:"DEB8")) != NULL) {
  report += res;
}
if((res = isdpkgvuln(pkg:"libpjlib-util2", ver:"2.1.0.0.ast20130823-1+deb8u1", rls:"DEB8")) != NULL) {
  report += res;
}
if((res = isdpkgvuln(pkg:"libpjmedia-audiodev2", ver:"2.1.0.0.ast20130823-1+deb8u1", rls:"DEB8")) != NULL) {
  report += res;
}
if((res = isdpkgvuln(pkg:"libpjmedia-codec2", ver:"2.1.0.0.ast20130823-1+deb8u1", rls:"DEB8")) != NULL) {
  report += res;
}
if((res = isdpkgvuln(pkg:"libpjmedia-videodev2", ver:"2.1.0.0.ast20130823-1+deb8u1", rls:"DEB8")) != NULL) {
  report += res;
}
if((res = isdpkgvuln(pkg:"libpjmedia2", ver:"2.1.0.0.ast20130823-1+deb8u1", rls:"DEB8")) != NULL) {
  report += res;
}
if((res = isdpkgvuln(pkg:"libpjnath2", ver:"2.1.0.0.ast20130823-1+deb8u1", rls:"DEB8")) != NULL) {
  report += res;
}
if((res = isdpkgvuln(pkg:"libpjproject-dev", ver:"2.1.0.0.ast20130823-1+deb8u1", rls:"DEB8")) != NULL) {
  report += res;
}
if((res = isdpkgvuln(pkg:"libpjsip-simple2", ver:"2.1.0.0.ast20130823-1+deb8u1", rls:"DEB8")) != NULL) {
  report += res;
}
if((res = isdpkgvuln(pkg:"libpjsip-ua2", ver:"2.1.0.0.ast20130823-1+deb8u1", rls:"DEB8")) != NULL) {
  report += res;
}
if((res = isdpkgvuln(pkg:"libpjsip2", ver:"2.1.0.0.ast20130823-1+deb8u1", rls:"DEB8")) != NULL) {
  report += res;
}
if((res = isdpkgvuln(pkg:"libpjsua2", ver:"2.1.0.0.ast20130823-1+deb8u1", rls:"DEB8")) != NULL) {
  report += res;
}

if(report != "") {
  security_message(data:report);
} else if(__pkg_match) {
  exit(99);
}

JSON Vulners Source

Initial Source

{"id": "OPENVAS:1361412562310703933", "type": "openvas", "bulletinFamily": "scanner", "title": "Debian Security Advisory DSA 3933-1 (pjproject - security update)", "description": "Two vulnerabilities were found in the PJSIP/PJProject communication\nlibrary, which may result in denial of service.", "published": "2017-08-10T00:00:00", "modified": "2019-03-18T00:00:00", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703933", "reporter": "Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net", "references": ["http://www.debian.org/security/2017/dsa-3933.html"], "cvelist": ["CVE-2017-9372", "CVE-2017-9359"], "lastseen": "2019-05-29T18:34:06", "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-9359", "CVE-2017-9372"]}, {"type": "debian", "idList": ["DEBIAN:DSA-3933-1:C17B3"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2017-9359", "DEBIANCVE:CVE-2017-9372"]}, {"type": "nessus", "idList": ["DEBIAN_DSA-3933.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310106822"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2017-9359", "UB:CVE-2017-9372"]}], "rev": 4}, "score": {"value": 5.6, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2017-9359", "CVE-2017-9372"]}, {"type": "debian", "idList": ["DEBIAN:DSA-3933-1:C17B3"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2017-9359"]}, {"type": "nessus", "idList": ["DEBIAN_DSA-3933.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310106822"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2017-9359", "UB:CVE-2017-9372"]}]}, "exploitation": null, "vulnersScore": 5.6}, "pluginID": "1361412562310703933", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: deb_3933.nasl 14275 2019-03-18 14:39:45Z cfischer $\n#\n# Auto-generated from advisory DSA 3933-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703933\");\n script_version(\"$Revision: 14275 $\");\n script_cve_id(\"CVE-2017-9359\", \"CVE-2017-9372\");\n script_name(\"Debian Security Advisory DSA 3933-1 (pjproject - security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:39:45 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-08-10 00:00:00 +0200 (Thu, 10 Aug 2017)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2017/dsa-3933.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2017 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n script_tag(name:\"affected\", value:\"pjproject on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the oldstable distribution (jessie), these problems have been fixed\nin version 2.1.0.0.ast20130823-1+deb8u1.\n\nFor the stable distribution (stretch), these problems had been fixed\nprior to the initial release.\n\nWe recommend that you upgrade your pjproject packages.\");\n script_tag(name:\"summary\", value:\"Two vulnerabilities were found in the PJSIP/PJProject communication\nlibrary, which may result in denial of service.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"libpj2\", ver:\"2.1.0.0.ast20130823-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libpjlib-util2\", ver:\"2.1.0.0.ast20130823-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libpjmedia-audiodev2\", ver:\"2.1.0.0.ast20130823-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libpjmedia-codec2\", ver:\"2.1.0.0.ast20130823-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libpjmedia-videodev2\", ver:\"2.1.0.0.ast20130823-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libpjmedia2\", ver:\"2.1.0.0.ast20130823-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libpjnath2\", ver:\"2.1.0.0.ast20130823-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libpjproject-dev\", ver:\"2.1.0.0.ast20130823-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libpjsip-simple2\", ver:\"2.1.0.0.ast20130823-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libpjsip-ua2\", ver:\"2.1.0.0.ast20130823-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libpjsip2\", ver:\"2.1.0.0.ast20130823-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libpjsua2\", ver:\"2.1.0.0.ast20130823-1+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "naslFamily": "Debian Local Security Checks", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645470169}}

{"mageia": [{"lastseen": "2022-04-18T11:19:34", "description": "Two vulnerabilities were found in the PJSIP/PJProject communication library, which may result in denial of service (CVE-2017-9359, CVE-2017-9372). \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-10-13T19:33:56", "type": "mageia", "title": "Updated pjproject packages fix security vulnerabilities\n", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-9359", "CVE-2017-9372"], "modified": "2017-10-13T19:33:56", "id": "MGASA-2017-0368", "href": "https://advisories.mageia.org/MGASA-2017-0368.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "nessus": [{"lastseen": "2021-08-19T12:35:51", "description": "Two vulnerabilities were found in the PJSIP/PJProject communication library, which may result in denial of service.", "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2017-08-11T00:00:00", "type": "nessus", "title": "Debian DSA-3933-1 : pjproject - security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-9359", "CVE-2017-9372"], "modified": "2021-01-04T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:pjproject", "cpe:/o:debian:debian_linux:8.0"], "id": "DEBIAN_DSA-3933.NASL", "href": "https://www.tenable.com/plugins/nessus/102373", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-3933. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(102373);\n script_version(\"3.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2017-9359\", \"CVE-2017-9372\");\n script_xref(name:\"DSA\", value:\"3933\");\n\n script_name(english:\"Debian DSA-3933-1 : pjproject - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Two vulnerabilities were found in the PJSIP/PJProject communication\nlibrary, which may result in denial of service.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/pjproject\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2017/dsa-3933\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the pjproject packages.\n\nFor the oldstable distribution (jessie), these problems have been\nfixed in version 2.1.0.0.ast20130823-1+deb8u1.\n\nFor the stable distribution (stretch), these problems had been fixed\nprior to the initial release.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:pjproject\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/08/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/08/11\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"libpj2\", reference:\"2.1.0.0.ast20130823-1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libpjlib-util2\", reference:\"2.1.0.0.ast20130823-1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libpjmedia-audiodev2\", reference:\"2.1.0.0.ast20130823-1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libpjmedia-codec2\", reference:\"2.1.0.0.ast20130823-1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libpjmedia-videodev2\", reference:\"2.1.0.0.ast20130823-1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libpjmedia2\", reference:\"2.1.0.0.ast20130823-1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libpjnath2\", reference:\"2.1.0.0.ast20130823-1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libpjproject-dev\", reference:\"2.1.0.0.ast20130823-1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libpjsip-simple2\", reference:\"2.1.0.0.ast20130823-1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libpjsip-ua2\", reference:\"2.1.0.0.ast20130823-1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libpjsip2\", reference:\"2.1.0.0.ast20130823-1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libpjsua2\", reference:\"2.1.0.0.ast20130823-1+deb8u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "debian": [{"lastseen": "2021-10-21T21:57:34", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3933-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nAugust 10, 2017 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : pjproject\nCVE ID : CVE-2017-9359 CVE-2017-9372\n\nTwo vulnerabilities were found in the PJSIP/PJProject communication\nlibrary, which may result in denial of service.\n\nFor the oldstable distribution (jessie), these problems have been fixed\nin version 2.1.0.0.ast20130823-1+deb8u1.\n\nFor the stable distribution (stretch), these problems had been fixed\nprior to the initial release.\n\nWe recommend that you upgrade your pjproject packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2017-08-10T18:41:54", "type": "debian", "title": "[SECURITY] [DSA 3933-1] pjproject security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-9359", "CVE-2017-9372"], "modified": "2017-08-10T18:41:54", "id": "DEBIAN:DSA-3933-1:C17B3", "href": "https://lists.debian.org/debian-security-announce/2017/msg00193.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "openvas": [{"lastseen": "2019-09-24T15:05:07", "description": "Asterisk is prone to multiple vulnerabilities which could lead to a\ndenial of service condition.", "cvss3": {}, "published": "2017-05-23T00:00:00", "type": "openvas", "title": "Asterisk Multiple Vulnerabilities Vulnerability (May 2017)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-9372", "CVE-2017-9359", "CVE-2017-9358"], "modified": "2019-09-20T00:00:00", "id": "OPENVAS:1361412562310106822", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106822", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Asterisk Multiple Vulnerabilities Vulnerability (May 2017)\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:digium:asterisk';\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106822\");\n script_version(\"2019-09-20T11:01:01+0000\");\n script_tag(name:\"last_modification\", value:\"2019-09-20 11:01:01 +0000 (Fri, 20 Sep 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-05-23 10:00:40 +0700 (Tue, 23 May 2017)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n\n script_cve_id(\"CVE-2017-9372\", \"CVE-2017-9359\", \"CVE-2017-9358\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Asterisk Multiple Vulnerabilities Vulnerability (May 2017)\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"secpod_asterisk_detect.nasl\");\n script_mandatory_keys(\"Asterisk-PBX/Installed\");\n\n script_tag(name:\"summary\", value:\"Asterisk is prone to multiple vulnerabilities which could lead to a\ndenial of service condition.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Asterisk is prone to multiple vulnerabilities:\n\n - Buffer Overrun in PJSIP transaction layer (AST-2017-002)\n\n - Crash in PJSIP multi-part body parser (AST-2017-003)\n\n - Memory exhaustion on short SCCP packets (AST-2017-004)\");\n\n script_tag(name:\"impact\", value:\"An unauthenticated remote attacker may cause a denial of service.\");\n\n script_tag(name:\"affected\", value:\"Asterisk Open Source 11.x, 13.x, 14.x and Certified Asterisk 13.13.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Version 13.15.1, 14.4.1, 13.13-cert4 or later.\");\n\n script_xref(name:\"URL\", value:\"http://downloads.asterisk.org/pub/security/AST-2017-002.html\");\n script_xref(name:\"URL\", value:\"http://downloads.asterisk.org/pub/security/AST-2017-003.html\");\n script_xref(name:\"URL\", value:\"http://downloads.asterisk.org/pub/security/AST-2017-004.html\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"revisions-lib.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!version = get_app_version(cpe: CPE, port: port))\n exit(0);\n\nif (version =~ \"^11\\.\" || version =~ \"^13\\.\") {\n if (version =~ \"^13\\.13cert\") {\n if (revcomp(a: version, b: \"13.13cert4\") < 0) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"13.13-cert4\");\n security_message(port: port, data: report, proto: \"udp\");\n exit(0);\n }\n }\n else {\n if (version_is_less(version: version, test_version: \"13.15.1\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"13.15.1\");\n security_message(port: port, data: report, proto: \"udp\");\n exit(0);\n }\n }\n}\n\nif (version =~ \"^14\\.\") {\n if (version_is_less(version: version, test_version: \"14.4.1\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"14.4.1\");\n security_message(port: port, data: report, proto: \"udp\");\n exit(0);\n }\n}\n\nexit(0);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "ubuntucve": [{"lastseen": "2021-11-22T21:36:17", "description": "PJSIP, as used in Asterisk Open Source 13.x before 13.15.1 and 14.x before\n14.4.1, Certified Asterisk 13.13 before 13.13-cert4, and other products,\nallows remote attackers to cause a denial of service (buffer overflow and\napplication crash) via a SIP packet with a crafted CSeq header in\nconjunction with a Via header that lacks a branch parameter.\n\n#### Bugs\n\n * <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863901>\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2017-06-02T00:00:00", "type": "ubuntucve", "title": "CVE-2017-9372", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-9372"], "modified": "2017-06-02T00:00:00", "id": "UB:CVE-2017-9372", "href": "https://ubuntu.com/security/CVE-2017-9372", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-11-22T21:36:17", "description": "The multi-part body parser in PJSIP, as used in Asterisk Open Source 13.x\nbefore 13.15.1 and 14.x before 14.4.1, Certified Asterisk 13.13 before\n13.13-cert4, and other products, allows remote attackers to cause a denial\nof service (out-of-bounds read and application crash) via a crafted packet.\n\n#### Bugs\n\n * <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863902>\n * <https://issues.asterisk.org/jira/browse/ASTERISK-26939>\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2017-06-02T00:00:00", "type": "ubuntucve", "title": "CVE-2017-9359", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-9359"], "modified": "2017-06-02T00:00:00", "id": "UB:CVE-2017-9359", "href": "https://ubuntu.com/security/CVE-2017-9359", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "debiancve": [{"lastseen": "2021-12-14T17:51:54", "description": "PJSIP, as used in Asterisk Open Source 13.x before 13.15.1 and 14.x before 14.4.1, Certified Asterisk 13.13 before 13.13-cert4, and other products, allows remote attackers to cause a denial of service (buffer overflow and application crash) via a SIP packet with a crafted CSeq header in conjunction with a Via header that lacks a branch parameter.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2017-06-02T14:29:00", "type": "debiancve", "title": "CVE-2017-9372", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-9372"], "modified": "2017-06-02T14:29:00", "id": "DEBIANCVE:CVE-2017-9372", "href": "https://security-tracker.debian.org/tracker/CVE-2017-9372", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-12-14T17:51:54", "description": "The multi-part body parser in PJSIP, as used in Asterisk Open Source 13.x before 13.15.1 and 14.x before 14.4.1, Certified Asterisk 13.13 before 13.13-cert4, and other products, allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted packet.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2017-06-02T05:29:00", "type": "debiancve", "title": "CVE-2017-9359", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-9359"], "modified": "2017-06-02T05:29:00", "id": "DEBIANCVE:CVE-2017-9359", "href": "https://security-tracker.debian.org/tracker/CVE-2017-9359", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "cve": [{"lastseen": "2022-03-23T18:56:52", "description": "PJSIP, as used in Asterisk Open Source 13.x before 13.15.1 and 14.x before 14.4.1, Certified Asterisk 13.13 before 13.13-cert4, and other products, allows remote attackers to cause a denial of service (buffer overflow and application crash) via a SIP packet with a crafted CSeq header in conjunction with a Via header that lacks a branch parameter.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-06-02T14:29:00", "type": "cve", "title": "CVE-2017-9372", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-9372"], "modified": "2017-11-05T01:29:00", "cpe": ["cpe:/a:digium:open_source:13.1.0", "cpe:/a:digium:open_source:13.12.0", "cpe:/a:digium:open_source:13.8.2", "cpe:/a:digium:open_source:13.3.0", "cpe:/a:digium:open_source:14.2.1", "cpe:/a:digium:open_source:14.3.0", "cpe:/a:digium:certified_asterisk:13.13.0", "cpe:/a:digium:open_source:13.7.0", "cpe:/a:digium:open_source:14.1.0", "cpe:/a:digium:open_source:13.11.0", "cpe:/a:digium:open_source:13.14.0", "cpe:/a:digium:open_source:13.8.1", "cpe:/a:digium:open_source:14.0.0", "cpe:/a:digium:open_source:13.15.0", "cpe:/a:digium:open_source:13.4.0", "cpe:/a:digium:open_source:13.13.0", "cpe:/a:digium:open_source:14.4.0", "cpe:/a:digium:open_source:13.5.0", "cpe:/a:digium:open_source:13.10.0", "cpe:/a:digium:open_source:13.0.0", "cpe:/a:digium:open_source:13.12.2", "cpe:/a:digium:open_source:14.2.0", "cpe:/a:digium:open_source:13.8.0", "cpe:/a:digium:open_source:13.6.0", "cpe:/a:digium:open_source:13.12.1", "cpe:/a:digium:open_source:13.9.0", "cpe:/a:digium:open_source:13.2.0"], "id": "CVE-2017-9372", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-9372", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:digium:open_source:13.8.1:*:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:13.9.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:digium:certified_asterisk:13.13.0:*:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:13.8.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:13.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:13.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:13.6.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:13.15.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:13.12.0:*:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:13.8.0:*:*:*:*:*:*:*", "cpe:2.3:a:digium:certified_asterisk:13.13.0:cert1:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:14.0.0:beta1:*:*:*:*:*:*", "cpe:2.3:a:digium:certified_asterisk:13.13.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:digium:certified_asterisk:13.13.0:cert1-rc1:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:14.0.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:digium:certified_asterisk:13.13.0:cert1-rc2:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:13.4.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:13.3.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:digium:certified_asterisk:13.13.0:cert3:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:13.7.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:14.3.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:13.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:13.12.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:13.10.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:14.0.0:beta2:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:13.14.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:digium:certified_asterisk:13.13.0:cert1-rc4:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:14.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:14.2.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:13.1.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:13.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:13.12.1:*:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:13.5.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:digium:certified_asterisk:13.13.0:cert2:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:13.13.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:13.1.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:13.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:14.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:13.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:13.12.2:*:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:13.9.0:*:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:14.1.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:13.2.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:14.4.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:digium:certified_asterisk:13.13.0:cert1-rc3:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:13.8.2:*:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:14.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:14.2.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:13.11.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:digium:certified_asterisk:13.13.0:rc1:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T18:56:45", "description": "The multi-part body parser in PJSIP, as used in Asterisk Open Source 13.x before 13.15.1 and 14.x before 14.4.1, Certified Asterisk 13.13 before 13.13-cert4, and other products, allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted packet.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-06-02T05:29:00", "type": "cve", "title": "CVE-2017-9359", "cwe": ["CWE-125"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-9359"], "modified": "2017-11-05T01:29:00", "cpe": ["cpe:/a:digium:open_source:13.1.0", "cpe:/a:digium:open_source:13.12.0", "cpe:/a:digium:open_source:13.8.2", "cpe:/a:digium:open_source:13.3.0", "cpe:/a:digium:certified_asterisk:13.13.0", "cpe:/a:digium:open_source:13.7.0", "cpe:/a:digium:open_source:13.11.0", "cpe:/a:digium:open_source:13.14.0", "cpe:/a:digium:open_source:13.8.1", "cpe:/a:digium:open_source:13.15.0", "cpe:/a:digium:open_source:13.4.0", "cpe:/a:digium:open_source:13.13.0", "cpe:/a:digium:open_source:13.5.0", "cpe:/a:digium:open_source:13.10.0", "cpe:/a:digium:open_source:13.0.0", "cpe:/a:digium:open_source:14.2.0", "cpe:/a:digium:open_source:13.12.2", "cpe:/a:digium:open_source:13.8.0", "cpe:/a:digium:open_source:13.6.0", "cpe:/a:digium:open_source:13.12.1", "cpe:/a:digium:open_source:13.9.0", "cpe:/a:digium:open_source:13.2.0"], "id": "CVE-2017-9359", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-9359", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:digium:open_source:13.8.1:*:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:13.9.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:digium:certified_asterisk:13.13.0:*:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:13.8.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:13.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:13.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:13.6.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:13.15.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:13.12.0:*:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:13.8.0:*:*:*:*:*:*:*", "cpe:2.3:a:digium:certified_asterisk:13.13.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:digium:certified_asterisk:13.13.0:cert1:*:*:*:*:*:*", "cpe:2.3:a:digium:certified_asterisk:13.13.0:cert1-rc1:*:*:*:*:*:*", "cpe:2.3:a:digium:certified_asterisk:13.13.0:cert1-rc2:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:13.4.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:13.3.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:digium:certified_asterisk:13.13.0:cert3:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:13.7.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:13.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:13.10.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:13.12.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:13.14.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:digium:certified_asterisk:13.13.0:cert1-rc4:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:14.2.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:13.1.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:13.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:13.12.1:*:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:13.5.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:digium:certified_asterisk:13.13.0:cert2:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:13.1.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:13.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:13.13.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:13.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:13.12.2:*:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:13.9.0:*:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:13.2.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:digium:certified_asterisk:13.13.0:cert1-rc3:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:13.8.2:*:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:14.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:14.2.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:digium:open_source:13.11.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:digium:certified_asterisk:13.13.0:rc1:*:*:*:*:*:*"]}]}