CVSS: 7.5EPSS: 0%CPEs: 189EXPL: 0CVE-2017-14099 – Asterisk Project Security Advisory - AST-2017-008
https://notcve.org/view.php?id=CVE-2017-14099
02 Sep 2017 — In res/res_rtp_asterisk.c in Asterisk 11.x before 11.25.2, 13.x before 13.17.1, and 14.x before 14.6.1 and Certified Asterisk 11.x before 11.6-cert17 and 13.x before 13.13-cert5, unauthorized data disclosure (media takeover in the RTP stack) is possible with careful timing by an attacker. The "strictrtp" option in rtp.conf enables a feature of the RTP stack that learns the source address of media for a session and drops any packets that do not originate from the expected address. This option is enabled by d... • http://downloads.asterisk.org/pub/security/AST-2017-005.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 3%CPEs: 50EXPL: 0CVE-2017-9372 – Debian Security Advisory 3933-1
https://notcve.org/view.php?id=CVE-2017-9372
02 Jun 2017 — PJSIP, as used in Asterisk Open Source 13.x before 13.15.1 and 14.x before 14.4.1, Certified Asterisk 13.13 before 13.13-cert4, and other products, allows remote attackers to cause a denial of service (buffer overflow and application crash) via a SIP packet with a crafted CSeq header in conjunction with a Via header that lacks a branch parameter. PJSIP, tal como es usado en Asterisk Open Source versiones 13.x y anteriores a 13.15.1 y versiones 14.x y anteriores a 14.4.1, Certified Asterisk versión 13.13 y a... • http://downloads.asterisk.org/pub/security/AST-2017-002.txt • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 7.5EPSS: 1%CPEs: 50EXPL: 0CVE-2017-9358
https://notcve.org/view.php?id=CVE-2017-9358
02 Jun 2017 — A memory exhaustion vulnerability exists in Asterisk Open Source 13.x before 13.15.1 and 14.x before 14.4.1 and Certified Asterisk 13.13 before 13.13-cert4, which can be triggered by sending specially crafted SCCP packets causing an infinite loop and leading to memory exhaustion (by message logging in that loop). Existe una vulnerabilidad de agotamiento de memoria en Asterisk Open Source, en versiones 13.x anteriores a la 13.15.1 y versiones 14.x anteriores a la 14.4.1, y en Certified Asterisk, en versiones... • http://downloads.asterisk.org/pub/security/AST-2017-004.txt • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 7.5EPSS: 0%CPEs: 42EXPL: 0CVE-2017-9359 – Debian Security Advisory 3933-1
https://notcve.org/view.php?id=CVE-2017-9359
02 Jun 2017 — The multi-part body parser in PJSIP, as used in Asterisk Open Source 13.x before 13.15.1 and 14.x before 14.4.1, Certified Asterisk 13.13 before 13.13-cert4, and other products, allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted packet. El analizador multi-part body en PJSIP, tal como es usado en Asterisk Open Source versiones 13.x y anteriores a 13.15.1 y versiones 14.x y anteriores a 14.4.1, Certified Asterisk versión 13.13 y anteriores a 13.13-ce... • http://downloads.asterisk.org/pub/security/AST-2017-003.txt • CWE-125: Out-of-bounds Read •
CVSS: 8.8EPSS: 18%CPEs: 61EXPL: 0CVE-2017-7617
https://notcve.org/view.php?id=CVE-2017-7617
10 Apr 2017 — Remote code execution can occur in Asterisk Open Source 13.x before 13.14.1 and 14.x before 14.3.1 and Certified Asterisk 13.13 before 13.13-cert3 because of a buffer overflow in a CDR user field, related to X-ClientCode in chan_sip, the CDR dialplan function, and the AMI Monitor action. La ejecución remota de código puede ocurrir en Asterisk Open Source 13.x en versiones anteriores a 13.14.1 y 14.x en versiones anteriores a 14.3.1 y Asterisk certificado 13.13 en versiones anteriores a 13.13-cert3 debido a ... • http://downloads.asterisk.org/pub/security/AST-2017-001.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 5.3EPSS: 1%CPEs: 146EXPL: 0CVE-2016-9938
https://notcve.org/view.php?id=CVE-2016-9938
12 Dec 2016 — An issue was discovered in Asterisk Open Source 11.x before 11.25.1, 13.x before 13.13.1, and 14.x before 14.2.1 and Certified Asterisk 11.x before 11.6-cert16 and 13.x before 13.8-cert4. The chan_sip channel driver has a liberal definition for whitespace when attempting to strip the content between a SIP header name and a colon character. Rather than following RFC 3261 and stripping only spaces and horizontal tabs, Asterisk treats any non-printable ASCII character as if it were whitespace. This means that ... • http://downloads.asterisk.org/pub/security/AST-2016-009.html • CWE-285: Improper Authorization •
CVSS: 7.5EPSS: 6%CPEs: 113EXPL: 0CVE-2016-7551 – Debian Security Advisory 3700-1
https://notcve.org/view.php?id=CVE-2016-7551
26 Oct 2016 — chain_sip in Asterisk Open Source 11.x before 11.23.1 and 13.x 13.11.1 and Certified Asterisk 11.6 before 11.6-cert15 and 13.8 before 13.8-cert3 allows remote attackers to cause a denial of service (port exhaustion). chain_sip en Asterisk Open Source 11.x en versiones anteriores a 11.23.1 y 13.x 13.11.1 y Certified Asterisk 11.6 en versiones anteriores a 11.6-cert15 y 13.8 en versiones anteriores a 13.8-cert3 permite a atacantes remotos provocar una denegación de servicio (agotamiento portuario) Multiple vu... • http://downloads.asterisk.org/pub/security/AST-2016-007.html • CWE-399: Resource Management Errors •
CVSS: 6.5EPSS: 8%CPEs: 288EXPL: 0CVE-2016-2232 – Debian Security Advisory 3700-1
https://notcve.org/view.php?id=CVE-2016-2232
22 Feb 2016 — Asterisk Open Source 1.8.x, 11.x before 11.21.1, 12.x, and 13.x before 13.7.1 and Certified Asterisk 1.8.28, 11.6 before 11.6-cert12, and 13.1 before 13.1-cert3 allow remote authenticated users to cause a denial of service (uninitialized pointer dereference and crash) via a zero length error correcting redundancy packet for a UDPTL FAX packet that is lost. Asterisk Open Source 1.8.x, 11.x en versiones anteriores a 11.21.1, 12.x y 13.x en versiones anteriores a 13.7.1 y Certified Asterisk 1.8.28, 11.6 en ver... • http://downloads.asterisk.org/pub/security/AST-2016-003.html •
CVSS: 7.1EPSS: 0%CPEs: 290EXPL: 1CVE-2016-2316 – Debian Security Advisory 3700-1
https://notcve.org/view.php?id=CVE-2016-2316
22 Feb 2016 — chan_sip in Asterisk Open Source 1.8.x, 11.x before 11.21.1, 12.x, and 13.x before 13.7.1 and Certified Asterisk 1.8.28, 11.6 before 11.6-cert12, and 13.1 before 13.1-cert3, when the timert1 sip.conf configuration is set to a value greater than 1245, allows remote attackers to cause a denial of service (file descriptor consumption) via vectors related to large retransmit timeout values. chan_sip en Asterisk Open Source 1.8.x, 11.x en versiones anteriores a 11.21.1, 12.x y 13.x en versiones anteriores a 13.7... • http://downloads.asterisk.org/pub/security/AST-2016-002.html • CWE-191: Integer Underflow (Wrap or Wraparound) •
CVSS: 7.5EPSS: 45%CPEs: 322EXPL: 0CVE-2015-3008 – Debian Security Advisory 3700-1
https://notcve.org/view.php?id=CVE-2015-3008
09 Apr 2015 — Asterisk Open Source 1.8 before 1.8.32.3, 11.x before 11.17.1, 12.x before 12.8.2, and 13.x before 13.3.2 and Certified Asterisk 1.8.28 before 1.8.28-cert5, 11.6 before 11.6-cert11, and 13.1 before 13.1-cert2, when registering a SIP TLS device, does not properly handle a null byte in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. As... • http://advisories.mageia.org/MGASA-2015-0153.html • CWE-310: Cryptographic Issues •