CVSS: 5.9EPSS: 37%CPEs: 14EXPL: 0CVE-2018-7287 – Asterisk Project Security Advisory - AST-2018-006
https://notcve.org/view.php?id=CVE-2018-7287
22 Feb 2018 — An issue was discovered in res_http_websocket.c in Asterisk 15.x through 15.2.1. If the HTTP server is enabled (default is disabled), WebSocket payloads of size 0 are mishandled (with a busy loop). Se ha descubierto un problema en res_http_websocket.c en Asterisk hasta la versión 15.2.1. Si el servidor HTTP está habilitado (está deshabilitado por defecto), las cargas útiles de WebSocket de tamaño 0 se gestionan de forma incorrecta (con un bucle ocupado). When reading a websocket, the length was not being ch... • http://downloads.digium.com/pub/security/AST-2018-006.html • CWE-754: Improper Check for Unusual or Exceptional Conditions •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-7285 – Asterisk Project Security Advisory - AST-2018-001
https://notcve.org/view.php?id=CVE-2018-7285
21 Feb 2018 — A NULL pointer access issue was discovered in Asterisk 15.x through 15.2.1. The RTP support in Asterisk maintains its own registry of dynamic codecs and desired payload numbers. While an SDP negotiation may result in a codec using a different payload number, these desired ones are still stored internally. When an RTP packet was received, this registry would be consulted if the payload number was not found in the negotiated SDP. This registry was incorrectly consulted for all packets, even those which are dy... • http://downloads.asterisk.org/pub/security/AST-2018-001.html • CWE-476: NULL Pointer Dereference •
CVSS: 7.5EPSS: 72%CPEs: 7EXPL: 0CVE-2017-17850 – Gentoo Linux Security Advisory 201811-11
https://notcve.org/view.php?id=CVE-2017-17850
23 Dec 2017 — An issue was discovered in Asterisk 13.18.4 and older, 14.7.4 and older, 15.1.4 and older, and 13.18-cert1 and older. A select set of SIP messages create a dialog in Asterisk. Those SIP messages must contain a contact header. For those messages, if the header was not present and the PJSIP channel driver was used, Asterisk would crash. The severity of this vulnerability is somewhat mitigated if authentication is enabled. • http://downloads.asterisk.org/pub/security/AST-2017-014.html • CWE-20: Improper Input Validation •
CVSS: 5.9EPSS: 2%CPEs: 16EXPL: 0CVE-2017-17664
https://notcve.org/view.php?id=CVE-2017-17664
13 Dec 2017 — A Remote Crash issue was discovered in Asterisk Open Source 13.x before 13.18.4, 14.x before 14.7.4, and 15.x before 15.1.4 and Certified Asterisk before 13.13-cert9. Certain compound RTCP packets cause a crash in the RTCP Stack. Se ha descubierto un problema de cierre inesperado remoto en Asterisk Open Source en versiones 13.x anteriores a la 13.18.4; versiones 14.x anteriores a la 14.7.4 y las versiones 15.x anteriores a la 15.1.4, así como Certified Asterisk en versiones anteriores a la 13.13-cert9. Cier... • http://downloads.digium.com/pub/security/AST-2017-012.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 7.5EPSS: 90%CPEs: 15EXPL: 2CVE-2017-17090 – Asterisk 13.17.2 - 'chan_skinny' Remote Memory Corruption
https://notcve.org/view.php?id=CVE-2017-17090
02 Dec 2017 — An issue was discovered in chan_skinny.c in Asterisk Open Source 13.18.2 and older, 14.7.2 and older, and 15.1.2 and older, and Certified Asterisk 13.13-cert7 and older. If the chan_skinny (aka SCCP protocol) channel driver is flooded with certain requests, it can cause the asterisk process to use excessive amounts of virtual memory, eventually causing asterisk to stop processing requests of any kind. Se ha descubierto un problema en chan_skinny.c en Asterisk Open Source en versiones 13.18.2 y anteriores, 1... • https://packetstorm.news/files/id/146299 • CWE-459: Incomplete Cleanup •
CVSS: 8.8EPSS: 3%CPEs: 14EXPL: 0CVE-2017-16671 – Gentoo Linux Security Advisory 201811-11
https://notcve.org/view.php?id=CVE-2017-16671
09 Nov 2017 — A Buffer Overflow issue was discovered in Asterisk Open Source 13 before 13.18.1, 14 before 14.7.1, and 15 before 15.1.1 and Certified Asterisk 13.13 before 13.13-cert7. No size checking is done when setting the user field for Party B on a CDR. Thus, it is possible for someone to use an arbitrarily large string and write past the end of the user field storage buffer. NOTE: this is different from CVE-2017-7617, which was only about the Party A buffer. Una vulnerabilidad de desbordamiento de búfer se descubri... • http://downloads.digium.com/pub/security/AST-2017-010.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 5.9EPSS: 5%CPEs: 14EXPL: 0CVE-2017-16672 – Gentoo Linux Security Advisory 201811-11
https://notcve.org/view.php?id=CVE-2017-16672
09 Nov 2017 — An issue was discovered in Asterisk Open Source 13 before 13.18.1, 14 before 14.7.1, and 15 before 15.1.1 and Certified Asterisk 13.13 before 13.13-cert7. A memory leak occurs when an Asterisk pjsip session object is created and that call gets rejected before the session itself is fully established. When this happens the session object never gets destroyed. Eventually Asterisk can run out of memory and crash. Se descubrió un problema en Asterisk Open Source en versiones 13 anteriores a la 13.18.1, versiones... • http://downloads.digium.com/pub/security/AST-2017-011.html • CWE-772: Missing Release of Resource after Effective Lifetime •
CVSS: 7.5EPSS: 0%CPEs: 189EXPL: 0CVE-2017-14603 – Gentoo Linux Security Advisory 201710-29
https://notcve.org/view.php?id=CVE-2017-14603
09 Oct 2017 — In Asterisk 11.x before 11.25.3, 13.x before 13.17.2, and 14.x before 14.6.2 and Certified Asterisk 11.x before 11.6-cert18 and 13.x before 13.13-cert6, insufficient RTCP packet validation could allow reading stale buffer contents and when combined with the "nat" and "symmetric_rtp" options allow redirecting where Asterisk sends the next RTCP report. En Asterisk enversiones 11.x anteriores a la 11.25.3, versiones 13.x anteriores a la 13.17.2 y versiones 14.x anteriores a la 14.6.2; y en Certified Asterisk e... • http://downloads.asterisk.org/pub/security/AST-2017-008.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.0EPSS: 1%CPEs: 1EXPL: 0CVE-2017-14001
https://notcve.org/view.php?id=CVE-2017-14001
26 Sep 2017 — An Improper Neutralization of Special Elements used in an OS Command issue was discovered in Digium Asterisk GUI 2.1.0 and prior. An OS command injection vulnerability has been identified that may allow the execution of arbitrary code on the system through the inclusion of OS commands in the URL request of the program. No se neutralizan correctamente los elementos especiales utilizados en un comando de sistema operativo en Digium Asterisk GUI 2.1.0 y anteriores. Se ha identificado una vulnerabilidad de inye... • http://www.securityfocus.com/bid/100950 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.5EPSS: 40%CPEs: 87EXPL: 0CVE-2017-14098 – Gentoo Linux Security Advisory 201710-29
https://notcve.org/view.php?id=CVE-2017-14098
02 Sep 2017 — In the pjsip channel driver (res_pjsip) in Asterisk 13.x before 13.17.1 and 14.x before 14.6.1, a carefully crafted tel URI in a From, To, or Contact header could cause Asterisk to crash. En el controlador de canal pjsip (res_pjsip) en Asterisk 13.x en versiones anteriores a la 13.17.1 y 14.x en versiones anteriores a la 14.6.1, una URI tel cuidadosamente manipulada en un encabezado From, To, o Contact podría provocar el bloqueo de Asterisk. Multiple vulnerabilities have been found in Asterisk, the worst of... • http://downloads.asterisk.org/pub/security/AST-2017-007.html • CWE-20: Improper Input Validation •