CVSS: 7.5EPSS: 91%CPEs: 7EXPL: 0CVE-2017-17850 – Gentoo Linux Security Advisory 201811-11
https://notcve.org/view.php?id=CVE-2017-17850
23 Dec 2017 — An issue was discovered in Asterisk 13.18.4 and older, 14.7.4 and older, 15.1.4 and older, and 13.18-cert1 and older. A select set of SIP messages create a dialog in Asterisk. Those SIP messages must contain a contact header. For those messages, if the header was not present and the PJSIP channel driver was used, Asterisk would crash. The severity of this vulnerability is somewhat mitigated if authentication is enabled. • http://downloads.asterisk.org/pub/security/AST-2017-014.html • CWE-20: Improper Input Validation •
CVSS: 5.9EPSS: 83%CPEs: 16EXPL: 0CVE-2017-17664
https://notcve.org/view.php?id=CVE-2017-17664
13 Dec 2017 — A Remote Crash issue was discovered in Asterisk Open Source 13.x before 13.18.4, 14.x before 14.7.4, and 15.x before 15.1.4 and Certified Asterisk before 13.13-cert9. Certain compound RTCP packets cause a crash in the RTCP Stack. Se ha descubierto un problema de cierre inesperado remoto en Asterisk Open Source en versiones 13.x anteriores a la 13.18.4; versiones 14.x anteriores a la 14.7.4 y las versiones 15.x anteriores a la 15.1.4, así como Certified Asterisk en versiones anteriores a la 13.13-cert9. Cier... • http://downloads.digium.com/pub/security/AST-2017-012.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 7.5EPSS: 46%CPEs: 15EXPL: 2CVE-2017-17090 – Asterisk 13.17.2 - 'chan_skinny' Remote Memory Corruption
https://notcve.org/view.php?id=CVE-2017-17090
02 Dec 2017 — An issue was discovered in chan_skinny.c in Asterisk Open Source 13.18.2 and older, 14.7.2 and older, and 15.1.2 and older, and Certified Asterisk 13.13-cert7 and older. If the chan_skinny (aka SCCP protocol) channel driver is flooded with certain requests, it can cause the asterisk process to use excessive amounts of virtual memory, eventually causing asterisk to stop processing requests of any kind. Se ha descubierto un problema en chan_skinny.c en Asterisk Open Source en versiones 13.18.2 y anteriores, 1... • https://packetstorm.news/files/id/146299 • CWE-459: Incomplete Cleanup •
CVSS: 5.9EPSS: 9%CPEs: 14EXPL: 0CVE-2017-16672 – Gentoo Linux Security Advisory 201811-11
https://notcve.org/view.php?id=CVE-2017-16672
09 Nov 2017 — An issue was discovered in Asterisk Open Source 13 before 13.18.1, 14 before 14.7.1, and 15 before 15.1.1 and Certified Asterisk 13.13 before 13.13-cert7. A memory leak occurs when an Asterisk pjsip session object is created and that call gets rejected before the session itself is fully established. When this happens the session object never gets destroyed. Eventually Asterisk can run out of memory and crash. Se descubrió un problema en Asterisk Open Source en versiones 13 anteriores a la 13.18.1, versiones... • http://downloads.digium.com/pub/security/AST-2017-011.html • CWE-772: Missing Release of Resource after Effective Lifetime •
CVSS: 8.8EPSS: 12%CPEs: 14EXPL: 0CVE-2017-16671 – Gentoo Linux Security Advisory 201811-11
https://notcve.org/view.php?id=CVE-2017-16671
09 Nov 2017 — A Buffer Overflow issue was discovered in Asterisk Open Source 13 before 13.18.1, 14 before 14.7.1, and 15 before 15.1.1 and Certified Asterisk 13.13 before 13.13-cert7. No size checking is done when setting the user field for Party B on a CDR. Thus, it is possible for someone to use an arbitrarily large string and write past the end of the user field storage buffer. NOTE: this is different from CVE-2017-7617, which was only about the Party A buffer. Una vulnerabilidad de desbordamiento de búfer se descubri... • http://downloads.digium.com/pub/security/AST-2017-010.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 7.5EPSS: 2%CPEs: 189EXPL: 0CVE-2017-14603 – Gentoo Linux Security Advisory 201710-29
https://notcve.org/view.php?id=CVE-2017-14603
09 Oct 2017 — In Asterisk 11.x before 11.25.3, 13.x before 13.17.2, and 14.x before 14.6.2 and Certified Asterisk 11.x before 11.6-cert18 and 13.x before 13.13-cert6, insufficient RTCP packet validation could allow reading stale buffer contents and when combined with the "nat" and "symmetric_rtp" options allow redirecting where Asterisk sends the next RTCP report. En Asterisk enversiones 11.x anteriores a la 11.25.3, versiones 13.x anteriores a la 13.17.2 y versiones 14.x anteriores a la 14.6.2; y en Certified Asterisk e... • http://downloads.asterisk.org/pub/security/AST-2017-008.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.8EPSS: 93%CPEs: 189EXPL: 0CVE-2017-14100 – Gentoo Linux Security Advisory 201710-29
https://notcve.org/view.php?id=CVE-2017-14100
02 Sep 2017 — In Asterisk 11.x before 11.25.2, 13.x before 13.17.1, and 14.x before 14.6.1 and Certified Asterisk 11.x before 11.6-cert17 and 13.x before 13.13-cert5, unauthorized command execution is possible. The app_minivm module has an "externnotify" program configuration option that is executed by the MinivmNotify dialplan application. The application uses the caller-id name and number as part of a built string passed to the OS shell for interpretation and execution. Since the caller-id name and number can come from... • http://downloads.asterisk.org/pub/security/AST-2017-006.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.5EPSS: 90%CPEs: 87EXPL: 0CVE-2017-14098 – Gentoo Linux Security Advisory 201710-29
https://notcve.org/view.php?id=CVE-2017-14098
02 Sep 2017 — In the pjsip channel driver (res_pjsip) in Asterisk 13.x before 13.17.1 and 14.x before 14.6.1, a carefully crafted tel URI in a From, To, or Contact header could cause Asterisk to crash. En el controlador de canal pjsip (res_pjsip) en Asterisk 13.x en versiones anteriores a la 13.17.1 y 14.x en versiones anteriores a la 14.6.1, una URI tel cuidadosamente manipulada en un encabezado From, To, o Contact podría provocar el bloqueo de Asterisk. Multiple vulnerabilities have been found in Asterisk, the worst of... • http://downloads.asterisk.org/pub/security/AST-2017-007.html • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 3%CPEs: 189EXPL: 0CVE-2017-14099 – Asterisk Project Security Advisory - AST-2017-008
https://notcve.org/view.php?id=CVE-2017-14099
02 Sep 2017 — In res/res_rtp_asterisk.c in Asterisk 11.x before 11.25.2, 13.x before 13.17.1, and 14.x before 14.6.1 and Certified Asterisk 11.x before 11.6-cert17 and 13.x before 13.13-cert5, unauthorized data disclosure (media takeover in the RTP stack) is possible with careful timing by an attacker. The "strictrtp" option in rtp.conf enables a feature of the RTP stack that learns the source address of media for a session and drops any packets that do not originate from the expected address. This option is enabled by d... • http://downloads.asterisk.org/pub/security/AST-2017-005.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 1%CPEs: 61EXPL: 0CVE-2017-7617
https://notcve.org/view.php?id=CVE-2017-7617
10 Apr 2017 — Remote code execution can occur in Asterisk Open Source 13.x before 13.14.1 and 14.x before 14.3.1 and Certified Asterisk 13.13 before 13.13-cert3 because of a buffer overflow in a CDR user field, related to X-ClientCode in chan_sip, the CDR dialplan function, and the AMI Monitor action. La ejecución remota de código puede ocurrir en Asterisk Open Source 13.x en versiones anteriores a 13.14.1 y 14.x en versiones anteriores a 14.3.1 y Asterisk certificado 13.13 en versiones anteriores a 13.13-cert3 debido a ... • http://downloads.asterisk.org/pub/security/AST-2017-001.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •