CVE-2016-9938
https://notcve.org/view.php?id=CVE-2016-9938
An issue was discovered in Asterisk Open Source 11.x before 11.25.1, 13.x before 13.13.1, and 14.x before 14.2.1 and Certified Asterisk 11.x before 11.6-cert16 and 13.x before 13.8-cert4. The chan_sip channel driver has a liberal definition for whitespace when attempting to strip the content between a SIP header name and a colon character. Rather than following RFC 3261 and stripping only spaces and horizontal tabs, Asterisk treats any non-printable ASCII character as if it were whitespace. This means that headers such as Contact\x01: will be seen as a valid Contact header. This mostly does not pose a problem until Asterisk is placed in tandem with an authenticating SIP proxy. • http://downloads.asterisk.org/pub/security/AST-2016-009.html http://www.securityfocus.com/bid/94789 http://www.securitytracker.com/id/1037408 • CWE-285: Improper Authorization •