CVSS: 8.8EPSS: 1%CPEs: 14EXPL: 0CVE-2017-16671
https://notcve.org/view.php?id=CVE-2017-16671
A Buffer Overflow issue was discovered in Asterisk Open Source 13 before 13.18.1, 14 before 14.7.1, and 15 before 15.1.1 and Certified Asterisk 13.13 before 13.13-cert7. No size checking is done when setting the user field for Party B on a CDR. Thus, it is possible for someone to use an arbitrarily large string and write past the end of the user field storage buffer. NOTE: this is different from CVE-2017-7617, which was only about the Party A buffer. Una vulnerabilidad de desbordamiento de búfer se descubrió en Asterisk Open Source en versiones 13 anteriores a la 13.18.1, versiones 14 anteriores a la 14.7.1 y versiones 15 antes de la 15.1.1 y en Certified Asterisk 13.13 en versiones anteriores a la 13.13-cert7. • http://downloads.digium.com/pub/security/AST-2017-010.html http://www.securityfocus.com/bid/101760 https://issues.asterisk.org/jira/browse/ASTERISK-27337 https://security.gentoo.org/glsa/201811-11 https://www.debian.org/security/2017/dsa-4076 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 5.9EPSS: 2%CPEs: 14EXPL: 0CVE-2017-16672
https://notcve.org/view.php?id=CVE-2017-16672
An issue was discovered in Asterisk Open Source 13 before 13.18.1, 14 before 14.7.1, and 15 before 15.1.1 and Certified Asterisk 13.13 before 13.13-cert7. A memory leak occurs when an Asterisk pjsip session object is created and that call gets rejected before the session itself is fully established. When this happens the session object never gets destroyed. Eventually Asterisk can run out of memory and crash. Se descubrió un problema en Asterisk Open Source en versiones 13 anteriores a la 13.18.1, versiones 14 anteriores a la 14.7.1 y versiones 15 antes de la 15.1.1 y en Certified Asterisk 13.13 en versiones anteriores a la 13.13-cert7. • http://downloads.digium.com/pub/security/AST-2017-011.html http://www.securityfocus.com/bid/101765 https://issues.asterisk.org/jira/browse/ASTERISK-27345 https://security.gentoo.org/glsa/201811-11 https://www.debian.org/security/2017/dsa-4076 • CWE-772: Missing Release of Resource after Effective Lifetime •
CVSS: 7.5EPSS: 0%CPEs: 189EXPL: 0CVE-2017-14603
https://notcve.org/view.php?id=CVE-2017-14603
In Asterisk 11.x before 11.25.3, 13.x before 13.17.2, and 14.x before 14.6.2 and Certified Asterisk 11.x before 11.6-cert18 and 13.x before 13.13-cert6, insufficient RTCP packet validation could allow reading stale buffer contents and when combined with the "nat" and "symmetric_rtp" options allow redirecting where Asterisk sends the next RTCP report. En Asterisk enversiones 11.x anteriores a la 11.25.3, versiones 13.x anteriores a la 13.17.2 y versiones 14.x anteriores a la 14.6.2; y en Certified Asterisk en versiones 11.x anteriores a la 11.6-cert18 y versiones 13.x anteriores a la 13.13-cert6, una validación insuficiente de paquetes RTCP podría permitir la lectura de contenidos obsoletos del búfer y, cuando se combina con las opciones "nat" y "symmetric_rtp", permite las redirecciones en las que Asterisk envía el siguiente informe RTCP. • http://downloads.asterisk.org/pub/security/AST-2017-008.html http://www.debian.org/security/2017/dsa-3990 https://issues.asterisk.org/jira/browse/ASTERISK-27274 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2017-14001
https://notcve.org/view.php?id=CVE-2017-14001
An Improper Neutralization of Special Elements used in an OS Command issue was discovered in Digium Asterisk GUI 2.1.0 and prior. An OS command injection vulnerability has been identified that may allow the execution of arbitrary code on the system through the inclusion of OS commands in the URL request of the program. No se neutralizan correctamente los elementos especiales utilizados en un comando de sistema operativo en Digium Asterisk GUI 2.1.0 y anteriores. Se ha identificado una vulnerabilidad de inyección de comandos de sistema operativo que podría permitir la ejecución de código arbitrario en el sistema mediante la inclusión de comandos de sistema operativo en la petición URL del programa. • http://www.securityfocus.com/bid/100950 https://ics-cert.us-cert.gov/advisories/ICSA-17-264-03 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.5EPSS: 92%CPEs: 87EXPL: 0CVE-2017-14098
https://notcve.org/view.php?id=CVE-2017-14098
In the pjsip channel driver (res_pjsip) in Asterisk 13.x before 13.17.1 and 14.x before 14.6.1, a carefully crafted tel URI in a From, To, or Contact header could cause Asterisk to crash. En el controlador de canal pjsip (res_pjsip) en Asterisk 13.x en versiones anteriores a la 13.17.1 y 14.x en versiones anteriores a la 14.6.1, una URI tel cuidadosamente manipulada en un encabezado From, To, o Contact podría provocar el bloqueo de Asterisk. • http://downloads.asterisk.org/pub/security/AST-2017-007.html http://www.securityfocus.com/bid/100583 http://www.securitytracker.com/id/1039253 https://bugs.debian.org/873909 https://issues.asterisk.org/jira/browse/ASTERISK-27152 • CWE-20: Improper Input Validation •