CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0CVE-2022-42705
https://notcve.org/view.php?id=CVE-2022-42705
A use-after-free in res_pjsip_pubsub.c in Sangoma Asterisk 16.28, 18.14, 19.6, and certified/18.9-cert2 may allow a remote authenticated attacker to crash Asterisk (denial of service) by performing activity on a subscription via a reliable transport at the same time that Asterisk is also performing activity on that subscription. Un use after free en res_pjsip_pubsub.c en Sangoma Asterisk 16.28, 18.14, 19.6 y certificado/18.9-cert2 puede permitir que un atacante remoto autenticado bloquee Asterisk (denegación de servicio) al realizar actividad en una suscripción a través de un transporte confiable en al mismo tiempo que Asterisk también realiza actividad en esa suscripción. • https://downloads.asterisk.org/pub/security/AST-2022-008.html https://lists.debian.org/debian-lts-announce/2023/02/msg00029.html https://www.debian.org/security/2023/dsa-5358 • CWE-416: Use After Free •
CVSS: 4.9EPSS: 0%CPEs: 6EXPL: 0CVE-2022-42706
https://notcve.org/view.php?id=CVE-2022-42706
An issue was discovered in Sangoma Asterisk through 16.28, 17 and 18 through 18.14, 19 through 19.6, and certified through 18.9-cert1. GetConfig, via Asterisk Manager Interface, allows a connected application to access files outside of the asterisk configuration directory, aka Directory Traversal. Se descubrió un problema en Sangoma Asterisk hasta 16.28, 17 y 18 hasta 18.14, 19 hasta 19.6 y se certificó hasta 18.9-cert1. GetConfig, a través de la interfaz de Asterisk Manager, permite que una aplicación conectada acceda a archivos fuera del directorio de configuración de Asterisk, aka como Directory Traversal. • https://downloads.asterisk.org/pub/security/AST-2022-009.html https://lists.debian.org/debian-lts-announce/2023/02/msg00029.html https://www.debian.org/security/2023/dsa-5358 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-37325
https://notcve.org/view.php?id=CVE-2022-37325
In Sangoma Asterisk through 16.28.0, 17.x and 18.x through 18.14.0, and 19.x through 19.6.0, an incoming Setup message to addons/ooh323c/src/ooq931.c with a malformed Calling or Called Party IE can cause a crash. En Sangoma Asterisk hasta 16.28.0, 17.x y 18.x hasta 18.14.0, y 19.x hasta 19.6.0, un mensaje de configuración entrante a addons/ooh323c/src/ooq931.c con una persona que llama o una persona llamada con formato incorrecto IE puede provocar un bloqueo. • https://downloads.asterisk.org/pub/security/AST-2022-007.html https://lists.debian.org/debian-lts-announce/2023/02/msg00029.html https://www.debian.org/security/2023/dsa-5358 • CWE-787: Out-of-bounds Write •
CVSS: 7.5EPSS: 4%CPEs: 5EXPL: 0CVE-2022-26498 – Shannon Baseband chatroom SDP Attribute Memory Corruption
https://notcve.org/view.php?id=CVE-2022-26498
An issue was discovered in Asterisk through 19.x. When using STIR/SHAKEN, it is possible to download files that are not certificates. These files could be much larger than what one would expect to download, leading to Resource Exhaustion. This is fixed in 16.25.2, 18.11.2, and 19.3.2. Se ha detectado un problema en Asterisk versiones hasta 19.x. • http://packetstormsecurity.com/files/166744/Asterisk-Project-Security-Advisory-AST-2022-001.html http://packetstormsecurity.com/files/172139/Shannon-Baseband-chatroom-SDP-Attribute-Memory-Corruption.html https://downloads.asterisk.org/pub/security https://downloads.asterisk.org/pub/security/AST-2022-001.html https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html https://www.debian.org/security/2022/dsa-5285 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 9.1EPSS: 0%CPEs: 5EXPL: 0CVE-2022-26499
https://notcve.org/view.php?id=CVE-2022-26499
An SSRF issue was discovered in Asterisk through 19.x. When using STIR/SHAKEN, it's possible to send arbitrary requests (such as GET) to interfaces such as localhost by using the Identity header. This is fixed in 16.25.2, 18.11.2, and 19.3.2. Se ha detectado un problema de tipo SSRF en Asterisk versiones hasta 19.x. Cuando es usado STIR/SHAKEN, es posible enviar peticiones arbitrarias (como GET) a interfaces como localhost usando el encabezado Identity. • http://packetstormsecurity.com/files/166745/Asterisk-Project-Security-Advisory-AST-2022-002.html https://downloads.asterisk.org/pub/security https://downloads.asterisk.org/pub/security/AST-2022-002.html https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html https://www.debian.org/security/2022/dsa-5285 • CWE-918: Server-Side Request Forgery (SSRF) •