CVSS: 5.0EPSS: 0%CPEs: 158EXPL: 0CVE-2011-2666
https://notcve.org/view.php?id=CVE-2011-2666
The default configuration of the SIP channel driver in Asterisk Open Source 1.4.x through 1.4.41.2 and 1.6.2.x through 1.6.2.18.2 does not enable the alwaysauthreject option, which allows remote attackers to enumerate account names by making a series of invalid SIP requests and observing the differences in the responses for different usernames, a different vulnerability than CVE-2011-2536. La configuración por defecto del controlador del canal SIP en Asterisk Open Source 1.4.x hasta 1.1.41.2 y 1.6.2.x hasta 1.6.2.18.2 no activa la opción alwaysauthreject, lo que permite a atacantes remotos enumerar los nombres de las cuentas al hacer una serie de peticiones SIP inválidas y observando las diferencias en las respuestas para distintos nombres de usuario, es una vulnerabilidad distinta a CVE-2011-2536. • http://downloads.asterisk.org/pub/security/AST-2011-011.html https://exchange.xforce.ibmcloud.com/vulnerabilities/68472 • CWE-16: Configuration •
CVSS: 5.0EPSS: 6%CPEs: 162EXPL: 0CVE-2011-2529
https://notcve.org/view.php?id=CVE-2011-2529
chan_sip.c in the SIP channel driver in Asterisk Open Source 1.6.x before 1.6.2.18.1 and 1.8.x before 1.8.4.3 does not properly handle '\0' characters in SIP packets, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted packet. chan_sip.c en el controlador de canal SIP en Asterisk Open Source v1.6.x anterior a v1.6.2.18.1 y v1.8.x anteriores a v1.8.4.3 no manejan adecuadamente los caracteres '\0' en los paquetes SIP, lo que permite a atacantes remotos provocar una denegación de servicio (corrupción de memoria) o posiblemente tener un impacto no especificado a través de un paquete diseñado. • http://downloads.asterisk.org/pub/security/AST-2011-008.diff http://downloads.asterisk.org/pub/security/AST-2011-008.html http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062628.html http://secunia.com/advisories/45048 http://secunia.com/advisories/45201 http://secunia.com/advisories/45239 http://securitytracker.com/id?1025706 http://www.debian.org/security/2011/dsa-2276 http://www.osvdb.org/73307 http://www.securityfocus.com/bid/48431 https://exchange.xfo • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 5.0EPSS: 7%CPEs: 32EXPL: 0CVE-2011-2665
https://notcve.org/view.php?id=CVE-2011-2665
reqresp_parser.c in the SIP channel driver in Asterisk Open Source 1.8.x before 1.8.4.3 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a SIP packet with a Contact header that lacks a < (less than) character. reqresp_parser.c en el controlador de canal SIP en Asterisk Open Source v1.8.x anteriores a v1.8.4.3 permite a atacantes remotos provocar una denegación de servicio (desreferencia a puntero NULL y caída del demonio) a través de un paquete SIP con una cabecera Contact que carece de un carácter < (menos que). • http://downloads.asterisk.org/pub/security/AST-2011-009-1.8.diff http://downloads.asterisk.org/pub/security/AST-2011-009.html http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062628.html http://secunia.com/advisories/45048 http://secunia.com/advisories/45201 http://secunia.com/advisories/45239 http://www.debian.org/security/2011/dsa-2276 •
CVSS: 5.0EPSS: 0%CPEs: 198EXPL: 0CVE-2011-2536
https://notcve.org/view.php?id=CVE-2011-2536
chan_sip.c in the SIP channel driver in Asterisk Open Source 1.4.x before 1.4.41.2, 1.6.2.x before 1.6.2.18.2, and 1.8.x before 1.8.4.4, and Asterisk Business Edition C.3.x before C.3.7.3, disregards the alwaysauthreject option and generates different responses for invalid SIP requests depending on whether the user account exists, which allows remote attackers to enumerate account names via a series of requests. chan_sip.c en el controlador de canal SIP en Asterisk Open Source v1.4.x anteriores a v1.4.41.2, v1.6.2.x anteriores a v1.6.2.18.2, y v1.8.x anteriores a v1.8.4.4, y Asterisk Business Edition vC.3.x anteriores a vC.3.7.3,no tiene en cuenta la opción alwaysauthreject y genera diferentes respuestas no válidas para solicitudes SIP en función de si la cuenta de usuario existe, lo que permite a atacantes remotos enumerar los nombres de cuenta a través de una serie de peticiones. • http://downloads.asterisk.org/pub/security/AST-2011-011-1.8.diff http://downloads.asterisk.org/pub/security/AST-2011-011.html http://www.securitytracker.com/id?1025734 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.0EPSS: 8%CPEs: 31EXPL: 0CVE-2011-2216
https://notcve.org/view.php?id=CVE-2011-2216
reqresp_parser.c in the SIP channel driver in Asterisk Open Source 1.8.x before 1.8.4.2 does not initialize certain strings, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a malformed Contact header. reqresp_parser.c del driver del canal SIP en Asterisk Open Source v1.8.x antes de v1.8.4.2 no inicializa ciertas cadenas,lo que permite a atacantes remotos provocar una denegación de servicio ( desreferenciar un puntero NULL y caída de demonio ) a través de un cabecera de contacto con formato incorrecto. • http://downloads.digium.com/pub/security/AST-2011-007.html http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062658.html http://lists.fedoraproject.org/pipermail/package-announce/2011-June/062013.html http://osvdb.org/72752 http://secunia.com/advisories/44828 http://securitytracker.com/id?1025598 http://www.securityfocus.com/archive/1/518236/100/0/threaded http://www.securityfocus.com/bid/48096 https://exchange.xforce.ibmcloud.com/vulnerabilities/67812 •