5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.004 Low
EPSS
Percentile
73.2%
The SIP channel driver in Asterisk Open Source 1.8.x before 1.8.20.2, 10.x
before 10.12.2, and 11.x before 11.2.2; Certified Asterisk 1.8.15 before
1.8.15-cert2; Asterisk Business Edition (BE) C.3.x before C.3.8.1; and
Asterisk Digiumphones 10.x-digiumphones before 10.12.2-digiumphones
exhibits different behavior for invalid INVITE, SUBSCRIBE, and REGISTER
transactions depending on whether the user account exists, which allows
remote attackers to enumerate account names by (1) reading HTTP status
codes, (2) reading additional text in a 403 (aka Forbidden) response, or
(3) observing whether certain retransmissions occur.