CVSS: 7.8EPSS: 8%CPEs: 122EXPL: 0CVE-2008-3264
https://notcve.org/view.php?id=CVE-2008-3264
The FWDOWNL firmware-download implementation in Asterisk Open Source 1.0.x, 1.2.x before 1.2.30, and 1.4.x before 1.4.21.2; Business Edition A.x.x, B.x.x before B.2.5.4, and C.x.x before C.1.10.3; AsteriskNOW; Appliance Developer Kit 0.x.x; and s800i 1.0.x before 1.2.0.1 allows remote attackers to cause a denial of service (traffic amplification) via an IAX2 FWDOWNL request. La implementación FWDOWNL firmware-download en Asterisk Open Source 1.0.x, 1.2.x antes de 1.2.30 y 1.4.x antes de 1.4.21.2; Business Edition A.x.x, B.x.x antes de B.2.5.4 y C.x.x antes de C.1.10.3; AsteriskNOW; Appliance Developer Kit 0.x.x; y s800i 1.0.x antes de 1.2.0.1 permite a atacantes remotos provocar una denegación de servicio (amplificación del tráfico) mediante una petición IAX2 FWDOWNL. • http://downloads.digium.com/pub/security/AST-2008-011.html http://secunia.com/advisories/31178 http://secunia.com/advisories/31194 http://secunia.com/advisories/34982 http://security.gentoo.org/glsa/glsa-200905-01.xml http://www.securityfocus.com/archive/1/494676/100/0/threaded http://www.securityfocus.com/bid/30350 http://www.securitytracker.com/id?1020536 http://www.vupen.com/english/advisories/2008/2168/references https://exchange.xforce.ibmcloud.com/vulnerabilities/43955 https • CWE-287: Improper Authentication •
CVSS: 7.8EPSS: 96%CPEs: 108EXPL: 3CVE-2008-3263 – Asterisk 1.6 IAX - 'POKE' Requests Remote Denial of Service
https://notcve.org/view.php?id=CVE-2008-3263
The IAX2 protocol implementation in Asterisk Open Source 1.0.x, 1.2.x before 1.2.30, and 1.4.x before 1.4.21.2; Business Edition A.x.x, B.x.x before B.2.5.4, and C.x.x before C.1.10.3; AsteriskNOW; Appliance Developer Kit 0.x.x; and s800i 1.0.x before 1.2.0.1 allows remote attackers to cause a denial of service (call-number exhaustion and CPU consumption) by quickly sending a large number of IAX2 (IAX) POKE requests. La implementación del protocolo IAX2 en Asterisk Open Source versiones 1.0.x, versiones 1.2.x anteriores a 1.2.30 y versiones 1.4.x anteriores a 1.4.21.2; Business Edition versiones A.x.x, versiones B.x.x anteriores a B.2.5.4 y versiones C.x.x anteriores a C.1.10.3; AsteriskNOW; Appliance Developer Kit versiones 0.x.x; y s800i versiones 1.0.x anteriores a 1.2.0.1, permite a los atacantes remotos causar una denegación de servicio (agotamiento del número de llamadas y consumo de CPU) mediante el envío rápido de un gran número de peticiones POKE de IAX2 (IAX). • https://www.exploit-db.com/exploits/32095 http://downloads.digium.com/pub/security/AST-2008-010.html http://downloads.securityfocus.com/vulnerabilities/exploits/30321.pl http://secunia.com/advisories/31178 http://secunia.com/advisories/31194 http://secunia.com/advisories/34982 http://security.gentoo.org/glsa/glsa-200905-01.xml http://www.securityfocus.com/archive/1/494675/100/0/threaded http://www.securityfocus.com/bid/30321 http://www.securitytracker.com/id?1020535 http:// • CWE-399: Resource Management Errors •
CVSS: 7.1EPSS: 2%CPEs: 137EXPL: 0CVE-2008-1923
https://notcve.org/view.php?id=CVE-2008-1923
The IAX2 channel driver (chan_iax2) in Asterisk 1.2 before revision 72630 and 1.4 before revision 65679, when configured to allow unauthenticated calls, sends "early audio" to an unverified source IP address of a NEW message, which allows remote attackers to cause a denial of service (traffic amplification) via a spoofed NEW message. El IAX2 channel driver (chan_iax2) en Asterisk 1.2 anterior a la revisión 72630 y 1.4 anterior a la revisión 65679, cuando está configurado para permitir llamadas sin autenticación, envía "early audio" a una IP sin verificar de un mensaje NEW, lo que permite a atacantes remotos provocar una denegación de servicio (amplificación del tráfico) a través de un mensaje NEW falseado. • http://bugs.digium.com/view.php?id=10078 http://downloads.digium.com/pub/security/AST-2008-006.html http://www.altsci.com/concepts/page.php?s=asteri&p=1 https://exchange.xforce.ibmcloud.com/vulnerabilities/42049 • CWE-16: Configuration •
CVSS: 6.5EPSS: 0%CPEs: 10EXPL: 0CVE-2007-6170
https://notcve.org/view.php?id=CVE-2007-6170
SQL injection vulnerability in the Call Detail Record Postgres logging engine (cdr_pgsql) in Asterisk 1.4.x before 1.4.15, 1.2.x before 1.2.25, B.x before B.2.3.4, and C.x before C.1.0-beta6 allows remote authenticated users to execute arbitrary SQL commands via (1) ANI and (2) DNIS arguments. Vulnerabilidad de inyección SQL en el motor de registro Call Detail Record Postgres (cdr_pgsql) de Asterisk 1.4.x anterior a 1.4.15, 1.2.x anterior a 1.2.25, B.x anterior a B.2.3.4, y C.x anterior a C.1.0-beta6 permite a usuarios remotos autenticados ejecutar comandos SQL de su elección mediante los argumentos (1) ANI y (2) DNIS. • http://downloads.digium.com/pub/security/AST-2007-026.html http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html http://secunia.com/advisories/27827 http://secunia.com/advisories/27892 http://secunia.com/advisories/29242 http://secunia.com/advisories/29782 http://security.gentoo.org/glsa/glsa-200804-13.xml http://securitytracker.com/id?1019020 http://www.debian.org/security/2007/dsa-1417 http://www.securityfocus.com/archive/1/484388/100/0/threaded http: • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.8EPSS: 3%CPEs: 1EXPL: 0CVE-2007-5358
https://notcve.org/view.php?id=CVE-2007-5358
Multiple buffer overflows in the voicemail functionality in Asterisk 1.4.x before 1.4.13, when using IMAP storage, might allow (1) remote attackers to execute arbitrary code via a long combination of Content-type and Content-description headers, or (2) local users to execute arbitrary code via a long combination of astspooldir, voicemail context, and voicemail mailbox fields. NOTE: vector 2 requires write access to Asterisk configuration files. Múltiples desbordamientos de búfer en la funcionalidad de voicemail del Asterisk 1.4.x anterior al 1.4.13, cuando se utiliza el almacenamiento IMAP, puede permitir (1) a atacantes ejecutar código de su elección a través de una combinación larga de cabeceras dependientes del tipo (Content-type) y de la descripción (Content-description), o (2) usuarios locales ejecutar código de su elección a través de una combinación larga de los campos astspooldir, voicemail context y voicemail mailbox. NOTA: el vector 2 requiere acceso de escritura en los ficheros de configuración del Asterisk. • http://downloads.digium.com/pub/security/AST-2007-022.html http://osvdb.org/38201 http://osvdb.org/38202 http://secunia.com/advisories/27184 http://www.securityfocus.com/archive/1/481996/100/0/threaded http://www.securityfocus.com/bid/26005 http://www.securitytracker.com/id?1018804 http://www.vupen.com/english/advisories/2007/3454 https://exchange.xforce.ibmcloud.com/vulnerabilities/37051 https://exchange.xforce.ibmcloud.com/vulnerabilities/37052 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •