CVSS: 7.5EPSS: 0%CPEs: 9EXPL: 0CVE-2016-9937
https://notcve.org/view.php?id=CVE-2016-9937
12 Dec 2016 — An issue was discovered in Asterisk Open Source 13.12.x and 13.13.x before 13.13.1 and 14.x before 14.2.1. If an SDP offer or answer is received with the Opus codec and with the format parameters separated using a space the code responsible for parsing will recursively call itself until it crashes. This occurs as the code does not properly handle spaces separating the parameters. This does NOT require the endpoint to have Opus configured in Asterisk. This also does not require the endpoint to be authenticat... • http://downloads.asterisk.org/pub/security/AST-2016-008-13.diff • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 5.3EPSS: 1%CPEs: 146EXPL: 0CVE-2016-9938
https://notcve.org/view.php?id=CVE-2016-9938
12 Dec 2016 — An issue was discovered in Asterisk Open Source 11.x before 11.25.1, 13.x before 13.13.1, and 14.x before 14.2.1 and Certified Asterisk 11.x before 11.6-cert16 and 13.x before 13.8-cert4. The chan_sip channel driver has a liberal definition for whitespace when attempting to strip the content between a SIP header name and a colon character. Rather than following RFC 3261 and stripping only spaces and horizontal tabs, Asterisk treats any non-printable ASCII character as if it were whitespace. This means that ... • http://downloads.asterisk.org/pub/security/AST-2016-009.html • CWE-285: Improper Authorization •
CVSS: 7.5EPSS: 6%CPEs: 113EXPL: 0CVE-2016-7551 – Debian Security Advisory 3700-1
https://notcve.org/view.php?id=CVE-2016-7551
26 Oct 2016 — chain_sip in Asterisk Open Source 11.x before 11.23.1 and 13.x 13.11.1 and Certified Asterisk 11.6 before 11.6-cert15 and 13.8 before 13.8-cert3 allows remote attackers to cause a denial of service (port exhaustion). chain_sip en Asterisk Open Source 11.x en versiones anteriores a 11.23.1 y 13.x 13.11.1 y Certified Asterisk 11.6 en versiones anteriores a 11.6-cert15 y 13.8 en versiones anteriores a 13.8-cert3 permite a atacantes remotos provocar una denegación de servicio (agotamiento portuario) Multiple vu... • http://downloads.asterisk.org/pub/security/AST-2016-007.html • CWE-399: Resource Management Errors •
CVSS: 6.5EPSS: 8%CPEs: 288EXPL: 0CVE-2016-2232 – Debian Security Advisory 3700-1
https://notcve.org/view.php?id=CVE-2016-2232
22 Feb 2016 — Asterisk Open Source 1.8.x, 11.x before 11.21.1, 12.x, and 13.x before 13.7.1 and Certified Asterisk 1.8.28, 11.6 before 11.6-cert12, and 13.1 before 13.1-cert3 allow remote authenticated users to cause a denial of service (uninitialized pointer dereference and crash) via a zero length error correcting redundancy packet for a UDPTL FAX packet that is lost. Asterisk Open Source 1.8.x, 11.x en versiones anteriores a 11.21.1, 12.x y 13.x en versiones anteriores a 13.7.1 y Certified Asterisk 1.8.28, 11.6 en ver... • http://downloads.asterisk.org/pub/security/AST-2016-003.html •
CVSS: 7.1EPSS: 0%CPEs: 290EXPL: 1CVE-2016-2316 – Debian Security Advisory 3700-1
https://notcve.org/view.php?id=CVE-2016-2316
22 Feb 2016 — chan_sip in Asterisk Open Source 1.8.x, 11.x before 11.21.1, 12.x, and 13.x before 13.7.1 and Certified Asterisk 1.8.28, 11.6 before 11.6-cert12, and 13.1 before 13.1-cert3, when the timert1 sip.conf configuration is set to a value greater than 1245, allows remote attackers to cause a denial of service (file descriptor consumption) via vectors related to large retransmit timeout values. chan_sip en Asterisk Open Source 1.8.x, 11.x en versiones anteriores a 11.21.1, 12.x y 13.x en versiones anteriores a 13.7... • http://downloads.asterisk.org/pub/security/AST-2016-002.html • CWE-191: Integer Underflow (Wrap or Wraparound) •
CVSS: 7.5EPSS: 45%CPEs: 322EXPL: 0CVE-2015-3008 – Debian Security Advisory 3700-1
https://notcve.org/view.php?id=CVE-2015-3008
09 Apr 2015 — Asterisk Open Source 1.8 before 1.8.32.3, 11.x before 11.17.1, 12.x before 12.8.2, and 13.x before 13.3.2 and Certified Asterisk 1.8.28 before 1.8.28-cert5, 11.6 before 11.6-cert11, and 13.1 before 13.1-cert2, when registering a SIP TLS device, does not properly handle a null byte in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. As... • http://advisories.mageia.org/MGASA-2015-0153.html • CWE-310: Cryptographic Issues •
CVSS: 6.5EPSS: 19%CPEs: 34EXPL: 0CVE-2015-1558
https://notcve.org/view.php?id=CVE-2015-1558
09 Feb 2015 — Asterisk Open Source 12.x before 12.8.1 and 13.x before 13.1.1, when using the PJSIP channel driver, does not properly reclaim RTP ports, which allows remote authenticated users to cause a denial of service (file descriptor consumption) via an SDP offer containing only incompatible codecs. Asterisk Open Source 12.x anterior a 12.8.1 y 13.x anterior a 13.1.1, cuando utiliza el controlador de canales PJSIP, no recupera correctamente los puertos RTP, lo que permite a usuarios remotos autenticados causar una de... • http://downloads.asterisk.org/pub/security/AST-2015-001.html • CWE-399: Resource Management Errors •
CVSS: 7.5EPSS: 49%CPEs: 80EXPL: 0CVE-2014-9374 – Mandriva Linux Security Advisory 2015-018
https://notcve.org/view.php?id=CVE-2014-9374
12 Dec 2014 — Double free vulnerability in the WebSocket Server (res_http_websocket module) in Asterisk Open Source 11.x before 11.14.2, 12.x before 12.7.2, and 13.x before 13.0.2 and Certified Asterisk 11.6 before 11.6-cert9 allows remote attackers to cause a denial of service (crash) by sending a zero length frame after a non-zero length frame. Vulnerabilidad de doble liberación en WebSocket Server (el módulo res_http_websocket) en Asterisk Open Source 11.x anterior a 11.14.2, 12.x anterior a 12.7.2, y 13.x anterior a ... • http://advisories.mageia.org/MGASA-2015-0010.html •
CVSS: 5.0EPSS: 0%CPEs: 15EXPL: 0CVE-2014-8412 – Gentoo Linux Security Advisory 201412-51
https://notcve.org/view.php?id=CVE-2014-8412
24 Nov 2014 — The (1) VoIP channel drivers, (2) DUNDi, and (3) Asterisk Manager Interface (AMI) in Asterisk Open Source 1.8.x before 1.8.32.1, 11.x before 11.14.1, 12.x before 12.7.1, and 13.x before 13.0.1 and Certified Asterisk 1.8.28 before 1.8.28-cert3 and 11.6 before 11.6-cert8 allows remote attackers to bypass the ACL restrictions via a packet with a source IP that does not share the address family as the first ACL entry. (1) Los controladores de canales VoIP, (2) DUNDi, y (3) Asterisk Manager Interface (AMI) en As... • http://downloads.asterisk.org/pub/security/AST-2014-012.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2014-8413
https://notcve.org/view.php?id=CVE-2014-8413
24 Nov 2014 — The res_pjsip_acl module in Asterisk Open Source 12.x before 12.7.1 and 13.x before 13.0.1 does not properly create and load ACLs defined in pjsip.conf at startup, which allows remote attackers to bypass intended PJSIP ACL rules. El módulo res_pjsip_acl en Asterisk Open Source 12.x en versiones anteriores a 12.7.1 y 13.x en versiones anteriores a 13.0.1 no crea y carga adecuadamente ACLs definidos en pjsip.conf en el arranque, lo que permite a atacantes remotos eludir las reglas previstas para PJSIP ACL. • http://downloads.asterisk.org/pub/security/AST-2014-013.html • CWE-264: Permissions, Privileges, and Access Controls •