CVSS: 6.5EPSS: 4%CPEs: 8EXPL: 0CVE-2019-12827
https://notcve.org/view.php?id=CVE-2019-12827
Buffer overflow in res_pjsip_messaging in Digium Asterisk versions 13.21-cert3, 13.27.0, 15.7.2, 16.4.0 and earlier allows remote authenticated users to crash Asterisk by sending a specially crafted SIP MESSAGE message. Desbordamiento de búfer en res_pjsip_messaging en Digium Asterisk versiones 13.21-cert3, 13.27.0, 15.7.2, 16.4.0 versiones anteriores permite a los atacantes remotos autenticados cerrar inesperadamente Asterisk enviando un mensaje SIP MESSAGE especialmente diseñado. • http://downloads.digium.com/pub/security/AST-2019-002.html https://issues.asterisk.org/jira/browse/ASTERISK-28447 • CWE-787: Out-of-bounds Write •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2016-7550
https://notcve.org/view.php?id=CVE-2016-7550
asterisk 13.10.0 is affected by: denial of service issues in asterisk. The impact is: cause a denial of service (remote). asterisk versión 13.10.0, se ve afectado por: problemas de Denegación de Servicio en asterisk. El impacto es: provocar una Denegación de Servicio (remota). • http://downloads.asterisk.org/pub/security/AST-2016-006.html • CWE-476: NULL Pointer Dereference •
CVSS: 7.5EPSS: 65%CPEs: 33EXPL: 0CVE-2018-17281
https://notcve.org/view.php?id=CVE-2018-17281
There is a stack consumption vulnerability in the res_http_websocket.so module of Asterisk through 13.23.0, 14.7.x through 14.7.7, and 15.x through 15.6.0 and Certified Asterisk through 13.21-cert2. It allows an attacker to crash Asterisk via a specially crafted HTTP request to upgrade the connection to a websocket. Hay una vulnerabilidad de consumo de pila en el módulo res_http_websocket.so de Asterisk hasta la versión 13.23.0; versiones 14.7.x anteriores a la 14.7.7 y las versiones 15.x anteriores a la 15.6.0, así como Certified Asterisk hasta la versión 13.21-cert2. Permite que un atacante provoque el cierre inesperado de Asterisk mediante una petición HTTP para actualizar la conexión a un websocket. • http://downloads.asterisk.org/pub/security/AST-2018-009.html http://packetstormsecurity.com/files/149453/Asterisk-Project-Security-Advisory-AST-2018-009.html http://seclists.org/fulldisclosure/2018/Sep/31 http://www.securityfocus.com/bid/105389 http://www.securitytracker.com/id/1041694 https://issues.asterisk.org/jira/browse/ASTERISK-28013 https://lists.debian.org/debian-lts-announce/2018/09/msg00034.html https://seclists.org/bugtraq/2018/Sep/53 https://security.gentoo.org/glsa/201811&# • CWE-400: Uncontrolled Resource Consumption •
CVSS: 5.3EPSS: 3%CPEs: 8EXPL: 0CVE-2018-12227
https://notcve.org/view.php?id=CVE-2018-12227
An issue was discovered in Asterisk Open Source 13.x before 13.21.1, 14.x before 14.7.7, and 15.x before 15.4.1 and Certified Asterisk 13.18-cert before 13.18-cert4 and 13.21-cert before 13.21-cert2. When endpoint specific ACL rules block a SIP request, they respond with a 403 forbidden. However, if an endpoint is not identified, then a 401 unauthorized response is sent. This vulnerability just discloses which requests hit a defined endpoint. The ACL rules cannot be bypassed to gain access to the disclosed endpoints. • http://downloads.asterisk.org/pub/security/AST-2018-008.html http://www.securityfocus.com/bid/104455 https://issues.asterisk.org/jira/browse/ASTERISK-27818 https://security.gentoo.org/glsa/201811-11 https://www.debian.org/security/2018/dsa-4320 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 78%CPEs: 7EXPL: 1CVE-2018-7284 – Asterisk chan_pjsip 15.2.0 - 'SUBSCRIBE' Stack Corruption
https://notcve.org/view.php?id=CVE-2018-7284
A Buffer Overflow issue was discovered in Asterisk through 13.19.1, 14.x through 14.7.5, and 15.x through 15.2.1, and Certified Asterisk through 13.18-cert2. When processing a SUBSCRIBE request, the res_pjsip_pubsub module stores the accepted formats present in the Accept headers of the request. This code did not limit the number of headers it processed, despite having a fixed limit of 32. If more than 32 Accept headers were present, the code would write outside of its memory and cause a crash. Se ha descubierto un problema de desbordamiento de búfer en Asterisk hasta la versión 13.19.1; versiones 14.x anteriores a la 14.7.5 y las versiones 15.x anteriores a la 15.2.1, así como Certified Asterisk hasta la versión 13.18-cert2. • https://www.exploit-db.com/exploits/44184 http://downloads.asterisk.org/pub/security/AST-2018-004.html http://www.securityfocus.com/bid/103151 http://www.securitytracker.com/id/1040416 https://www.debian.org/security/2018/dsa-4320 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •