CVSS: 5.0EPSS: 37%CPEs: 81EXPL: 0CVE-2013-5642
https://notcve.org/view.php?id=CVE-2013-5642
The SIP channel driver (channels/chan_sip.c) in Asterisk Open Source 1.8.x before 1.8.23.1, 10.x before 10.12.3, and 11.x before 11.5.1; Certified Asterisk 1.8.15 before 1.8.15-cert3 and 11.2 before 11.2-cert2; and Asterisk Digiumphones 10.x-digiumphones before 10.12.3-digiumphones allows remote attackers to cause a denial of service (NULL pointer dereference, segmentation fault, and daemon crash) via an invalid SDP that defines a media description before the connection description in a SIP request. El controlador de canal SIP (channels/chan_sip.c) en Asterisk Open Source 1.8.x (anteriores a 1.8.23.1), 10.x (anteriores a 10.12.3), y 11.x (anteriores a 11.5.1); Certified Asterisk 1.8.15 (anteriores a 1.8.15-cert3) y 11.2 (anteriores a 11.2-cert2); y Asterisk Digiumphones 10.x-digiumphones (anteriores a 10.12.3-digiumphones) permiten a un atcante remoto causar una denegación de servicio (referencia a puntero nulo, corrupción de memoria, y caída del demonio) a través de un SDP inválido que define una descripción de medios antes de la descripción de conexión en una petición SIP. • http://archives.neohapsis.com/archives/bugtraq/2013-08/0174.html http://downloads.asterisk.org/pub/security/AST-2013-005.html http://osvdb.org/96690 http://secunia.com/advisories/54534 http://secunia.com/advisories/54617 http://www.debian.org/security/2013/dsa-2749 http://www.mandriva.com/security/advisories?name=MDVSA-2013:223 http://www.securityfocus.com/bid/62022 http://www.securitytracker.com/id/1028957 https://issues.asterisk.org/jira/browse/ASTERISK-22007 • CWE-20: Improper Input Validation •
CVSS: 4.3EPSS: 1%CPEs: 206EXPL: 0CVE-2012-5977
https://notcve.org/view.php?id=CVE-2012-5977
Asterisk Open Source 1.8.x before 1.8.19.1, 10.x before 10.11.1, and 11.x before 11.1.2; Certified Asterisk 1.8.11 before 1.8.11-cert10; and Asterisk Digiumphones 10.x-digiumphones before 10.11.1-digiumphones, when anonymous calls are enabled, allow remote attackers to cause a denial of service (resource consumption) by making anonymous calls from multiple sources and consequently adding many entries to the device state cache. Asterisk Open Source v1.8.x anteriores a v1.8.19.1, v10.x anteriores a v10.11.1, y v11.x anteriores a v11.1.2; Certified Asterisk v1.8.11 anteriores a v1.8.11-cert10; y Asterisk Digiumphones v10.x-digiumphones anteriores a v10.11.1-digiumphones, cuando están permitidas las llamadas anónimas, permiten a atacantes remotos a provocar una denegación de servicio(consumo de recursos) haciendo llamadas anónimas desde múltiples fuentes y en consecuencia, añadir varias entradas a la caché de estado del dispositivo. • http://downloads.asterisk.org/pub/security/AST-2012-015 http://www.debian.org/security/2013/dsa-2605 https://issues.asterisk.org/jira/browse/ASTERISK-20175 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 5.0EPSS: 59%CPEs: 206EXPL: 0CVE-2012-5976
https://notcve.org/view.php?id=CVE-2012-5976
Multiple stack consumption vulnerabilities in Asterisk Open Source 1.8.x before 1.8.19.1, 10.x before 10.11.1, and 11.x before 11.1.2; Certified Asterisk 1.8.11 before 1.8.11-cert10; and Asterisk Digiumphones 10.x-digiumphones before 10.11.1-digiumphones allow remote attackers to cause a denial of service (daemon crash) via TCP data using the (1) SIP, (2) HTTP, or (3) XMPP protocol. Multiples vulnerabilidades de consumo en Asterisk Open Source v1.8.x anteriores a v1.8.19.1, v10.x anteriores a v10.11.1, y v11.x anteriores a v11.1.2; Certified Asterisk v1.8.11 anteriores a v1.8.11-cert10; y Asterisk Digiumphones 10.x-digiumphones anteriores a 10.11.1-digiumphones permite a atacantes remotos provocar una denegación de servicio (caíde del demonio) a través de datos TCP usando los protocolos (1) SIP, (2) HTTP, o (3) XMPP. • http://downloads.asterisk.org/pub/security/AST-2012-014 http://www.debian.org/security/2013/dsa-2605 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 6.0EPSS: 0%CPEs: 144EXPL: 0CVE-2012-4737
https://notcve.org/view.php?id=CVE-2012-4737
channels/chan_iax2.c in Asterisk Open Source 1.8.x before 1.8.15.1 and 10.x before 10.7.1, Certified Asterisk 1.8.11 before 1.8.11-cert7, Asterisk Digiumphones 10.x.x-digiumphones before 10.7.1-digiumphones, and Asterisk Business Edition C.3.x before C.3.7.6 does not enforce ACL rules during certain uses of peer credentials, which allows remote authenticated users to bypass intended outbound-call restrictions by leveraging the availability of these credentials. channels/chan_iax2.c en Asterisk Open Source v1.8.x antes de v1.8.15.1 y v10.x antes de v10.7.1, Certified Asterisk v1.8.11-1.8.11 antes de cert7, Digiumphones Asterisk v10.xx-digiumphones antes de v10.7.1-digiumphones y Asterisk Business Edition C.3.x antes de C.3.7.6 no hace cumplir las reglas de ACL durante ciertos usos del par de credenciales, lo que permite a usuarios remotos autenticados eludir las restricciones de llamadas de salida aprovechándose de la disponibilidad de estas credenciales. • http://downloads.asterisk.org/pub/security/AST-2012-013.html http://secunia.com/advisories/50687 http://secunia.com/advisories/50756 http://www.debian.org/security/2012/dsa-2550 http://www.securityfocus.com/bid/55335 http://www.securitytracker.com/id?1027461 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.0EPSS: 1%CPEs: 133EXPL: 0CVE-2012-3863
https://notcve.org/view.php?id=CVE-2012-3863
channels/chan_sip.c in Asterisk Open Source 1.8.x before 1.8.13.1 and 10.x before 10.5.2, Asterisk Business Edition C.3.x before C.3.7.5, Certified Asterisk 1.8.11-certx before 1.8.11-cert4, and Asterisk Digiumphones 10.x.x-digiumphones before 10.5.2-digiumphones does not properly handle a provisional response to a SIP reINVITE request, which allows remote authenticated users to cause a denial of service (RTP port exhaustion) via sessions that lack final responses. Asterisk Open Source v1.8.x anterior a v1.8.13.1 y v10.x anterior a v10.5.2, Asterisk Business Edition vC.3.x anterior a vC.3.7.5, Certified Asterisk v1.8.11-certx anterior a v1.8.11-cert4, y Asterisk Digiumphones v10.x.x-digiumphones anterior a v10.5.2-digiumphones no maneja una respuesta provisional a una petición SIP reINVITE de forma adecuada, lo que permite a atacantes remotos autenticados provocar una denegación de servicio (agotamiento de puerto RTP) a través de sesiones que carecen de repuestas finales. • http://downloads.asterisk.org/pub/security/AST-2012-010.html http://secunia.com/advisories/50687 http://secunia.com/advisories/50756 http://www.debian.org/security/2012/dsa-2550 http://www.securityfocus.com/bid/54327 https://issues.asterisk.org/jira/browse/ASTERISK-19992 • CWE-399: Resource Management Errors •