22 matches found
CVE-2012-2948
CVE-2012-2948 affects the Skinny (SCCP) channel driver (chan_skinny.c) in Asterisk. The vulnerability lets remote authenticated users trigger a NULL pointer dereference that can crash the daemon by closing a connection in off-hook mode. Affected releases include Certified Asterisk 1.8.11-cert bef...
CVE-2012-2414
CVE-2012-2414 affects Asterisk Open Source: 1.6.2.x prior to 1.6.2.24, 1.8.x prior to 1.8.11.1, and 10.x prior to 10.3.1. The issue is that main/manager.c in the Manager Interface does not properly enforce System class authorization, enabling remote authenticated users to execute commands via (1)...
CVE-2012-2415
CVE-2012-2415 is a heap-based buffer overflow in Asterisk’s Skinny channel driver (chan_skinny.c). Affected: Asterisk Open Source 1.6.2.x prior to 1.6.2.24, 1.8.x prior to 1.8.11.1, and 10.x prior to 10.3.1. Trigger: KEYPAD_BUTTON_MESSAGE events sent by remote authenticated users, leading to deni...
CVE-2013-2685
CVE-2013-2685 affects Asterisk Open Source 11.x prior to 11.2.2; it is a stack-based buffer overflow in res/res_format_attr_h264.c triggered by a long sprop-parameter-sets H.264 attribute in SDP headers, enabling remote code execution. Remediation: upgrade to 11.2.2 or later per vendor advisories...
CVE-2011-4063
CVE-2011-4063 affects Asterisk Open Source 1.8.x (before 1.8.7.1) and 10.x (before 10.0.0-rc1). The SIP channel driver (chan_sip.c) does not properly initialize variables during request parsing, allowing remote authenticated users to trigger a denial-of-service and cause the daemon to crash. Miti...
CVE-2008-1897
The CVE-2008-1897 issue affects the IAX2 channel driver in Asterisk Open Source (various 1.0.x, 1.2.x before 1.2.28, 1.4.x before 1.4.19.1; AsteriskNOW; Business Editions; and s800i prior to listed versions). The vulnerability arises when unauthenticated calls are allowed and the ACK response doe...
CVE-2008-1332
CVE-2008-1332 affects Asterisk and several build variants (1.2.x up to 1.2.27; 1.4.x up to 1.4.18.1 and 1.4.19-rc3; AsteriskNOW, Business/Community editions, Appliance Kit, s800i) and allows remote attackers to access the SIP channel driver via a crafted From header, bypassing authentication. Con...
CVE-2007-6430
CVE-2007-6430 affects Asterisk Open Source 1.2.x (before 1.2.26), 1.4.x (before 1.4.16), and Business Edition B.x.x (before B.2.3.6) and C.x.x (before C.1.0-beta8). The issue is that when using realtime (database-based registrations) and host-based authentication, the system does not check the IP...
CVE-2013-2686
CVE-2013-2686 affects Asterisk Open Source HTTP server: main/http.c does not properly restrict Content-Length, enabling stack-consumption DoS via crafted HTTP POST. Affected: Asterisk 1.8.x before 1.8.20.2; 10.x before 10.12.2; 11.x before 11.2.2; Certified Asterisk 1.8.15 before 1.8.15-cert2; As...
CVE-2009-0041
CVE-2009-0041 affects Asterisk Open Source (IAX2) across multiple branches (1.2.x, 1.4.x, 1.6.x and related Business Edition lines) and allows remote attackers to enumerate valid usernames by differing responses to login attempts. The Debian advisory (DSA-1952-1) lists CVE-2009-0041 among several...
CVE-2012-0885
CVE-2012-0885 affects Asterisk Open Source: 1.8.x before 1.8.8.2 and 10.x before 10.0.1. When the res_srtp module is loaded and media support is misconfigured, a crafted SDP message with a crypto attribute can cause a NULL pointer dereference and daemon crash (DoS) via either a video or text medi...
CVE-2008-5558
CVE-2008-5558 affects Asterisk Open Source 1.2.26–1.2.30.3 and related Business Edition 2.3.5–2.5.5 when realtime IAX2 users are enabled. The vulnerability allows remote attackers to cause a denial of service (crash) during authentication attempts with an unknown user or with a hostname-matching ...
CVE-2012-2186
CVE-2012-2186 affects Asterisk Open Source in 1.8.x before 1.8.15.1 and 10.x before 10.7.1, Certified Asterisk 1.8.11 before 1.8.11-cert6, Asterisk Digiumphones 10.x.x-digiumphones before 10.7.1-digiumphones, and Asterisk Business Edition C.3.x before C.3.7.6. The flaw is an incomplete blacklist ...
CVE-2009-2346
CVE-2009-2346 affects the IAX2 protocol implementation in Asterisk (multiple releases across 1.2.x/1.4.x/1.6.x lines and Business/C.x branches; s800i) and allows a remote attacker to exhaust the call-number space by issuing a high volume of IAX2 messages, causing a denial of service. Connected ad...
CVE-2012-2416
CVE-2012-2416 affects Asterisk Open Source 1.8.x prior to 1.8.11.1 and 10.x prior to 10.3.1, plus Asterisk Business Edition C.3.x prior to C.3.7.4, where enabling trustrpid lets remote authenticated users crash the daemon via SIP UPDATE triggering a connected-line update without an associated cha...
CVE-2008-3264
CVE-2008-3264 describes a DoS via the IAX2 FWDOWNL (firmware download) path in Asterisk and related packages. Affected: Asterisk Open Source 1.0.x, 1.2.x before 1.2.30, 1.4.x before 1.4.21.2; Business Edition A.x.x, B.x.x before B.2.5.4, and C.x.x before C.1.10.3; AsteriskNOW; Appliance Developer...
CVE-2008-1333
CVE-2008-1333 affects Asterisk Open Source 1.6.x prior to 1.6.0-beta6. The vulnerability is a format string issue in logging paths (ast_verbose and astman_append) that could allow remote attackers to execute arbitrary code by crafting logging messages. Affected product/version: Asterisk Open Sour...
CVE-2008-2119
CVE-2008-2119 affects Asterisk Open Source 1.0.x and 1.2.x (pre-1.2.29) and Business Edition A.x.x/B.x.x (pre-B.2.5.3). In pedantic parsing, From header null/empty values are fed to ast_uri_decode, causing a remote DoS (daemon crash). OpenVAS/Gentoo advisories document this and recommend upgradin...
CVE-2008-0095
Asterisk Open Source 1.4.x (and related editions) is affected by a remote DoS via a crafted BYE message containing an Also header, triggering a NULL pointer dereference and daemon crash. The vulnerable range includes 1.4.x before 1.4.17, with affected builds in Business Edition before C.1.0-beta8...
CVE-2008-1289
CVE-2008-1289 describes memory corruption in Asterisk via RTP payload handling and SDP processing. Specifically, multiple buffer overflows allow remote attackers to write arbitrary memory: (1) by sending a large RTP payload number to affect ast_rtp_unset_m_type in main/rtp.c, and (2) by a large v...
CVE-2008-1923
The CVE-2008-1923 issue affects the IAX2 channel driver (chan_iax2) in Asterisk 1.2.x (before r72630) and 1.4.x (before r65679). When configured to allow unauthenticated calls, it sends early audio to an unverified source IP address of a NEW message, enabling remote attackers to trigger a denial ...
CVE-2013-2264
CVE-2013-2264 affects the SIP Channel Driver in Asterisk Open Source (1.8.x up to 1.8.20.2, 10.x up to 10.12.2, 11.x up to 11.2.2; Cert. Asterisk 1.8.15 up to 1.8.15-cert2; BE C.3.x up to C.3.8.1; Digiumphones 10.x up to 10.12.2-digiumphones) and enables remote enumeration of account names by obs...