51 matches found
CVE-2019-13161
CVE-2019-13161 affects Asterisk Open Source (through 13.x/14.x/15.x/16.x and Certified Asterisk up to 13.21-cert3). The issue is a pointer dereference in chan_sip during SDP negotiation, which can crash Asterisk when handling an SDP answer to an outgoing T.38 re-invite. Exploitation requires forc...
CVE-2019-12827
CVE-2019-12827 : Buffer overflow in Digium Asterisk’s res_pjsip_messaging (versions 13.21-cert3, 13.27.0, 15.7.2, 16.4.0 and earlier) can be triggered by a specially crafted SIP MESSAGE, allowing remote authenticated users to crash Asterisk. The issue is a memory boundary violation in the res_pjs...
CVE-2019-18610
CVE-2019-18610 affects Sangoma Asterisk: a vulnerability in manager.c allows a remote authenticated Asterisk Manager Interface (AMI) user with no system authorization to execute arbitrary commands via a crafted Originate AMI request. Affected are Asterisk up to 13.x, 16.x, 17.x and Certified Aste...
CVE-2021-32558
The CVE-2021-32558 issue affects Sangoma Asterisk and Certified Asterisk: IAX2 channel driver may crash when receiving a packet with an unsupported media format. Affected versions include Asterisk 13.x before 13.38.3, 16.x before 16.19.1, 17.x before 17.9.4, 18.x before 18.5.1, and Certified Aste...
CVE-2019-18790
CVE-2019-18790ffects Sangoma Asterisk chan_sip.c: a SIP request can alter a peer’s IP address to hijack calls. Affected: Asterisk 13.x <13.29.2, 16.x <16.6.2, 17.x <17.0.1; Certified Asterisk
CVE-2022-26651
The CVE-2022-26651 issue affects Asterisk through 19.x and Certified Asterisk through 16.8-cert13, in the func_odbc module, where inadequate escaping for backslash characters in SQL queries can cause user-provided data to create broken or injectable SQL. The documented impact includes potential i...
CVE-2013-5642
CVE-2013-5642 affects Asterisk and related builds (Open Source 1.8.x up to 1.8.23.1, 10.x up to 10.12.3, 11.x up to 11.5.1; Certified Asterisk 1.8.15 up to 1.8.15-cert3 and 11.2 up to 11.2-cert2; Asterisk Digiumphones 10.x-digiumphones up to 10.12.3-digiumphones). The vulnerability is a remote de...
CVE-2013-5641
CVE-2013-5641 affects Asterisk SIP channel driver (channels/chan_sip.c) in Asterisk Open Source 1.8.17.x–1.8.22.x, 1.8.23.x before 1.8.23.1, and 11.x before 11.5.1 (Certified Asterisk 1.8.15 before 1.8.15-cert3 and 11.2 before 11.2-cert2). The vulnerability allows remote attackers to cause a deni...
CVE-2017-14100
CVE-2017-14100 is a remote command execution vulnerability in Asterisk versions: 11.x before 11.25.2, 13.x before 13.17.1, 14.x before 14.6.1, and Certified Asterisk 11.x before 11.6-cert17 and 13.x before 13.13-cert5. It is caused by the app_minivm module’s externnotify option used by the Minivm...
CVE-2021-26713
CVE-2021-26713 affects Sangoma Asterisk: a stack-based buffer overflow in res_rtp_asterisk.c allows an authenticated WebRTC client to crash Asterisk by rapidly issuing multiple hold/unhold requests. Root cause is a signedness comparison mismatch. Affected revisions: Sangoma Asterisk before 16.16....
CVE-2021-26906
The CVE-2021-26906 entry describes an SDP negotiation vulnerability in PJSIP within Digium Asterisk (and Certified Asterisk) up to specific older branches, allowing a remote server to potentially crash Asterisk by sending SIP responses that trigger an SDP negotiation failure. Affected products in...
CVE-2014-8418
CVE-2014-8418 affects Asterisk Open Source: DB dialplan function allows remote authenticated users to gain privileges via a call from an external protocol (AMI). Affected: 1.8.x before 1.8.32, 11.x before 11.1.4.1, 12.x before 12.7.1, 13.x before 13.0.1; Certified Asterisk 1.8.x before 1.8.28-cer...
CVE-2021-26712
CVE-2021-26712 describes a flaw in res_srtp.c in Sangoma Asterisk versions 13.38.1, 16.16.0, 17.9.1, 18.2.0 and Certified Asterisk 16.8-cert5 where an unauthenticated remote attacker can prematurely terminate secure calls by replaying SRTP packets. The connected records confirm the affected produ...
CVE-2018-7284
CVE-2018-7284 affects Asterisk and Certified Asterisk; during SUBSCRIBE, res_pjsip_pubsub does not cap Accept headers (limit 32) and can write outside memory, causing a crash. Affected: 13.x–15.x releases (precise bounds in sources). Exploitation details exist (Exploit-DB), with vendor advisories...
CVE-2017-17090
CVE-2017-17090 affects the chan_skinny (SCCP) driver in Asterisk, where flooding the channel driver with certain requests can exhaust VM memory and cause the process to stop handling requests. Public details include both exploitation references (Exploit-DB entry for 13.17.2) and multiple vendor a...
CVE-2019-18976
CVE-2019-18976 affects Sangoma Asterisk and Certified Asterisk up to 13.x; a NULL pointer dereference and crash can occur when receiving a re-invite that initiates T.38 faxing if the SDP has a port of 0 and no c-line. Public details confirm the affected file is res_pjsip_t38.c and the issue is a ...
CVE-2015-3008
CVE-2015-3008 affects Asterisk Open Source: 1.8 before 1.8.32.3, 11.x before 11.17.1, 12.x before 12.8.2, 13.x before 13.3.2, and Certified Asterisk equivalents (e.g., 1.8.28 before 1.8.28-cert5, 11.6 before 11.6-cert11, 13.1 before 13.1-cert2). Root cause: improper handling of a null byte in the...
CVE-2021-26717
The CVE-2021-26717 issue affects Sangoma Asterisk: 16.x before 16.16.1, 17.x before 17.9.2, 18.x before 18.2.1, and Certified Asterisk before 16.8-cert6. During T.38 renegotiation, if the initial remote response is delayed, Asterisk may send both audio and T.38 in the SDP; if the remote answers w...
CVE-2020-28327
A vulnerability in Asterisk’s SIP handling (res_pjsip_session) can crash the process when a new SIP Invite is processed. The issue arises from a gap between dialog object creation and its next use, potentially allowing another thread to free the dialog and leading to a crash on dereference. Affec...
CVE-2017-16672
CVE-2017-16672 affects Asterisk Open Source: memory leak in pjsip session objects when a call is rejected before establishment. Affected versions: Asterisk 13 prior to 13.18.1; 14 prior to 14.7.1; 15 prior to 15.1.1; Certified Asterisk 13.13 prior to 13.13-cert7. Impact: potential memory exhausti...
CVE-2018-7286
CVE-2018-7286 affects Asterisk and Certified Asterisk prior to vendor patches: res_pjsip accepts a sequence of SIP INVITE messages over TCP/TLS from an authenticated remote user, then the connection is abruptly closed, causing a segmentation fault (DoS). Affected: Asterisk versions up to 13.19.1,...
CVE-2012-5976
CVE-2012-5976 describes stack-consumption vulnerabilities in Asterisk Open Source where parsing of TCP-based protocols (SIP, HTTP, XMPP) could be exploited to crash the daemon. Affected: Asterisk 1.8.x before 1.8.19.1, 10.x before 10.11.1, 11.x before 11.1.2; and corresponding Certified Asterisk ...
CVE-2014-2287
CVE-2014-2287 affects Asterisk chan_sip in 1.8.x prior to 1.8.26.1, 11.8.x prior to 11.8.1, and 12.1.x prior to 12.1.1, plus certain Certified Asterisk builds. A remote authenticated user can cause a denial of service by sending an INVITE with a malformed or invalid Session-Expires or Min-SE head...
CVE-2018-12227
CVE-2018-12227 affects Asterisk Open Source 13.x before 13.21.1, 14.x before 14.7.7, and 15.x before 15.4.1 (including Certified Asterisk 13.18-cert4/13.21-cert2). The issue is an information-disclosure in SIP ACL handling: when endpoint-specific ACLs block a request, a 403 is returned; if the en...
CVE-2017-14099
CVE-2017-14099 affects Asterisk 11.x (before 11.25.2), 13.x (before 13.17.1) and 14.x (before 14.6.1), including Certified Asterisk, with unauthorized data disclosure via RTP media hijacking when strict RTP, NAT, and symmetric RTP are combined. Root cause: changes to strict RTP handling allowed l...
CVE-2017-14603
CVE-2017-14603 affects Asterisk 11.x prior to 11.25.3, 13.x prior to 13.17.2, and 14.x prior to 14.6.2 (plus Certified Asterisk 11.x before 11.6-cert18 and 13.x before 13.13-cert6). The issue is insufficient RTCP packet validation, which can allow reading stale buffer contents and, when combined ...
CVE-2018-17281
CVE-2018-17281 affects the Asterisk res_http_websocket.so module and allows an attacker to crash Asterisk by sending a crafted HTTP Upgrade request to websocket. Affected: Asterisk up to 13.23.0, 14.7.x up to 14.7.7, 15.x up to 15.6.0, and Certified Asterisk up to 13.21-cert2. Consequences: denia...
CVE-2016-7551
CVE-2016-7551 affects Asterisk Open Source 11.x (before 11.23.1) and 13.x (before 13.11.1), as well as Certified Asterisk 11.6 (before 11.6-cert15) and 13.8 (before 13.8-cert3). The vulnerability in chain_sip allows remote attackers to cause a denial of service via port exhaustion. The available ...
CVE-2017-17850
CVE-2017-17850 affects Asterisk 13.18.4 and older, 14.7.4 and older, 15.1.4 and older, and 13.18-cert1 and older. If a SIP request creates a dialog and the SIP contact header is missing while using the PJSIP channel driver, Asterisk may crash. Authentication reduces risk by requiring prior author...
CVE-2013-7100
The connected MGASA-2014-0171 advisory provides concrete details for CVE-2013-7100: Asterisk before 11.6.1 decodes a 16‑bit SMS message with an odd length in the unpacksms16 function, causing an infinite loop and a crash due to memory corruption (buffer overflow). This is the root cause and the i...
CVE-2014-4047
CVE-2014-4047 signature in Asterisk describes a remote denial-of-service due to exhaustion of HTTP sessions caused by a large number of TCP connections. Affected products include Asterisk Open Source 1.8.x before 1.8.28.1, 11.x before 11.10.1, and 12.x before 12.3.1, plus Certified Asterisk 1.8.1...
CVE-2016-2316
CVE-2016-2316 affects Asterisk Open Source and Certified Asterisk: chan_sip allows remote denial of service when timert1 in sip.conf > 1245, via large retransmit timeout values. Affected: Asterisk 1.8.x; 11.x before 11.21.1; 12.x; 13.x before 13.7.1; Certified Asterisk 1.8.28; 11.6 before 11.6...
CVE-2017-7617
CVE-2017-7617 affects Asterisk Open Source 13.x before 13.14.1 and 14.x before 14.3.1, and Certified Asterisk 13.13 before 13.13-cert3. The issue is a buffer overflow in the CDR user field (in Party A context for the CDR and related to X-ClientCode in chan_sip), enabling remote code execution. Im...
CVE-2017-16671
CVE-2017-16671 affects Asterisk Open Source 13.x (<13.18.1), 14.x (<14.7.1), 15.x (<15.1.1) and Certified Asterisk 13.13 (=13.23.1, and FreeBSD/FreeBSD-based advisories mirror the fix trajectory. If exploiting, an attacker could trigger overflow via crafted CDR updates. No exploitation s...
CVE-2014-6610
CVE-2014-6610 affects Asterisk Open Source 11.x before 11.12.1 and 12.x before 12.5.1, and Certified Asterisk 11.6 before 11.6-cert6, when using the res_fax_spandsp module. A remote authenticated user can crash the system via an out-of-call message, caused by improper handling in the ReceiveFax d...
CVE-2016-9938
CVE-2016-9938 affects Asterisk Open Source chan_sip: improper stripping of non‑printable ASCII whitespace between SIP header name and a colon allows certain To/header combinations to bypass authentication when used with an authenticating SIP proxy. Affected: 11.x < 11.25.1, 13.x < 13.13.1, ...
CVE-2017-17664
CVE-2017-17664 affects Asterisk Open Source: 13.x before 13.18.4, 14.x before 14.7.4, 15.x before 15.1.4, and Certified Asterisk before 13.13-cert9. Certain compound RTCP packets trigger a crash in the RTCP stack, resulting in a remote crash/DoS condition. The connected sources indicate upstream ...
CVE-2012-5977
CVE-2012-5977 affects Asterisk Open Source 1.8.x <1.8.19.1, 10.x <10.11.1, 11.x <11.1.2 and Certified Asterisk 1.8.11<1.8.11-cert10, plus Asterisk Digiumphones 10.x=1.8.19.1, 10.x >=10.11.1, or 11.x >=11.1.2 (as applicable). Exploitation details or in-the-wild status are not pro...
CVE-2014-2286
CVE-2014-2286 affects Asterisk Open Source by vulnerable main/http.c in 1.8.x <1.8.26.1, 11.8.x <11.8.1, and 12.1.x <12.1.1 (and Certified Asterisk
CVE-2014-8412
CVE-2014-8412 affects Asterisk Open Source and Certified Asterisk: 1.8.x (before 1.8.32.1), 11.x (before 11.14.1), 12.x (before 12.7.1), 13.x (before 13.0.1); Certified Asterisk 1.8.28 (before 1.8.28-cert3) and 11.6 (before 11.6-cert8). The vulnerability is a bypass of ACL restrictions in the VoI...
CVE-2016-2232
CVE-2016-2232 affects Asterisk Open Source: vulnerable are Asterisk Open Source 1.8.x, 11.x before 11.21.1, 12.x, and 13.x before 13.7.1, and Certified Asterisk 1.8.28, 11.6 before 11.6-cert12, and 13.1 before 13.1-cert3. The issue is a denial of service caused by an uninitialized pointer derefer...
CVE-2012-2947
CVE-2012-2947 affects the IAX2 channel driver in Asterisk: when mohinterpret is enabled, a remote attacker placing a call on hold can crash the daemon (DoS). Affected: Certified Asterisk 1.8.11-cert before 1.8.11-cert2; Asterisk Open Source 1.8.x before 1.8.12.1; Asterisk 10.x before 10.4.1. Root...
CVE-2012-3812
CVE-2012-3812 is a double-free vulnerability in Asterisk voicemail handling that can be abused by remote authenticated users to crash the daemon when accessing both Urgent and INBOX mailboxes. Affected products and versions: Asterisk Open Source 1.8.x prior to 1.8.13.1; Asterisk Open Source 10.x ...
CVE-2014-9374
CVE-2014-9374: A double free vulnerability in Asterisk’s WebSocket Server (res_http_websocket) can crash remote servers by processing a zero-length frame after a non-zero-length frame. Affected: Asterisk Open Source 11.x before 11.14.2, 12.x before 12.7.2, 13.x before 13.0.2, and Certified Asteri...
CVE-2014-4046
CVE-2014-4046 affects Asterisk Open Source 11.x before 11.10.1 and 12.x before 12.3.1, plus Certified Asterisk 11.6 before 11.6-cert3, allowing remote authenticated Manager users to execute arbitrary shell commands via a MixMonitor action. Public advisories (Debian DLA-455-1, Mageia MGASA-2014-03...
CVE-2014-8417
CVE-2014-8417 affects Asterisk’s ConfBridge: remote authenticated users can escalate privileges via the external protocol to the CONFBRIDGE dialplan function or run arbitrary commands via a crafted ConfbridgeStartRecord AMI action. Affected: Asterisk 11.x pre-11.14.1, 12.x pre-12.7.1, 13.x pre-13...
CVE-2012-3863
CVE-2012-3863 affects Asterisk Open Source 1.8.x before 1.8.13.1 and 10.x before 10.5.2 (also in various packaged releases such as Certified Asterisk and Digiumphones) due to improper handling of a provisional SIP reINVITE response in channels/chan_sip.c. This can allow remote authenticated users...
CVE-2012-4737
CVE-2012-4737 affects Asterisk Open Source 1.8.x prior to 1.8.15.1 and 10.x prior to 10.7.1 (also affected Certified Asterisk 1.8.11 before 1.8.11-cert7, Asterisk Digiumphones 10.x, and Asterisk Business Edition C.3.x before C.3.7.6). The vulnerability arises because ACL rules are not enforced du...
CVE-2014-8414
CVE-2014-8414 affects Asterisk 11.x (before 11.14.1) and Certified Asterisk 11.6 (before 11.6-cert8). The issue arises in ConfBridge where state changes are not handled correctly, allowing remote attackers to trigger a denial of service by delaying state transitions, causing the channel to hang a...
CVE-2017-9372
The CVE-2017-9372 entry affects PJSIP/PJProject used in Asterisk Open Source (13.x before 13.15.1, 14.x before 14.4.1) and Certified Asterisk (13.13 before 13.13-cert4). The issue allows remote attackers to cause a denial of service (buffer overflow and application crash) via a SIP packet with a ...