9 results (0.021 seconds)

CVSS: 5.0EPSS: 0%CPEs: 150EXPL: 0

IAX2 in Asterisk Open Source 1.2.x before 1.2.31, 1.4.x before 1.4.23-rc4, and 1.6.x before 1.6.0.3-rc2; Business Edition A.x.x, B.x.x before B.2.5.7, C.1.x.x before C.1.10.4, and C.2.x.x before C.2.1.2.1; and s800i 1.2.x before 1.3.0 responds differently to a failed login attempt depending on whether the user account exists, which allows remote attackers to enumerate valid usernames. IAX2 en Asterisk Open Source v1.2.x anterior a v1.2.31, v1.4.x anterior a v1.4.23-rc4, y v1.6.x anterior a v1.6.0.3-rc2; Business Edition A.x.x, B.x.x anterior a B.2.5.7, C.1.x.x anterior a C.1.10.4, y C.2.x.x anterior a C.2.1.2.1; y s800i 1.2.x anterior a v1.3.0 responden de manera distinta ante un intento de acceso fallido dependiendo de si la cuenta de usuario existe, lo que permite a atacantes remotos listar nombres de usuario válidos. • http://downloads.digium.com/pub/security/AST-2009-001.html http://secunia.com/advisories/33453 http://secunia.com/advisories/34982 http://secunia.com/advisories/37677 http://security.gentoo.org/glsa/glsa-200905-01.xml http://securityreason.com/securityalert/4910 http://www.debian.org/security/2009/dsa-1952 http://www.securityfocus.com/archive/1/499884/100/0/threaded http://www.securityfocus.com/bid/33174 http://www.securitytracker.com/id?1021549 http://www.vupen.com/e • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 4.3EPSS: 7%CPEs: 17EXPL: 0

Asterisk Open Source 1.2.26 through 1.2.30.3 and Business Edition B.2.3.5 through B.2.5.5, when realtime IAX2 users are enabled, allows remote attackers to cause a denial of service (crash) via authentication attempts involving (1) an unknown user or (2) a user using hostname matching. Asterisk Open Source 1.2.26 hasta 1.2.30.3 y Business Edition B.2.3.5 hasta B.2.5.5, cuando los usuarios realtime IAX2 son habilitados, permite a los atacantes remotos causar una denegación de servicio (caída) a través de intentos de autenticación relativos a (1) usuarios desconocidos o (2) usuarios que usan hostname coincidentes. • http://downloads.digium.com/pub/security/AST-2008-012.html http://osvdb.org/50675 http://secunia.com/advisories/32956 http://secunia.com/advisories/34982 http://security.gentoo.org/glsa/glsa-200905-01.xml http://securityreason.com/securityalert/4769 http://www.securityfocus.com/archive/1/499117/100/0/threaded http://www.securityfocus.com/bid/32773 http://www.securitytracker.com/id?1021378 http://www.vupen.com/english/advisories/2008/3403 • CWE-287: Improper Authentication •

CVSS: 7.8EPSS: 8%CPEs: 122EXPL: 0

The FWDOWNL firmware-download implementation in Asterisk Open Source 1.0.x, 1.2.x before 1.2.30, and 1.4.x before 1.4.21.2; Business Edition A.x.x, B.x.x before B.2.5.4, and C.x.x before C.1.10.3; AsteriskNOW; Appliance Developer Kit 0.x.x; and s800i 1.0.x before 1.2.0.1 allows remote attackers to cause a denial of service (traffic amplification) via an IAX2 FWDOWNL request. La implementación FWDOWNL firmware-download en Asterisk Open Source 1.0.x, 1.2.x antes de 1.2.30 y 1.4.x antes de 1.4.21.2; Business Edition A.x.x, B.x.x antes de B.2.5.4 y C.x.x antes de C.1.10.3; AsteriskNOW; Appliance Developer Kit 0.x.x; y s800i 1.0.x antes de 1.2.0.1 permite a atacantes remotos provocar una denegación de servicio (amplificación del tráfico) mediante una petición IAX2 FWDOWNL. • http://downloads.digium.com/pub/security/AST-2008-011.html http://secunia.com/advisories/31178 http://secunia.com/advisories/31194 http://secunia.com/advisories/34982 http://security.gentoo.org/glsa/glsa-200905-01.xml http://www.securityfocus.com/archive/1/494676/100/0/threaded http://www.securityfocus.com/bid/30350 http://www.securitytracker.com/id?1020536 http://www.vupen.com/english/advisories/2008/2168/references https://exchange.xforce.ibmcloud.com/vulnerabilities/43955 https • CWE-287: Improper Authentication •

CVSS: 4.3EPSS: 1%CPEs: 53EXPL: 1

Asterisk Open Source 1.0.x and 1.2.x before 1.2.29 and Business Edition A.x.x and B.x.x before B.2.5.3, when pedantic parsing (aka pedanticsipchecking) is enabled, allows remote attackers to cause a denial of service (daemon crash) via a SIP INVITE message that lacks a From header, related to invocations of the ast_uri_decode function, and improper handling of (1) an empty const string and (2) a NULL pointer. Asterisk Open Source 1.0.x y 1.2.x anterior 1.2.29 y Business Edition A.x.x y B.x.x anterior B.2.5.3, cuando "pedantic parsing" (también conocido como pedanticsipchecking) está activado, permite a atacantes remotos provocar una denegación de servicio (caída de demonio) a través de un mensaje SIP INVITE que carece de una cabecera From, relacionado con la invocación de la función ast_uri_decode y el manejo incorrecto de (1) una cadena const vacía y (2) un puntero NULL. • https://www.exploit-db.com/exploits/5749 http://bugs.digium.com/view.php?id=12607 http://downloads.digium.com/pub/security/AST-2008-008.html http://secunia.com/advisories/30517 http://secunia.com/advisories/34982 http://security.gentoo.org/glsa/glsa-200905-01.xml http://svn.digium.com/view/asterisk?view=rev&revision=120109 http://www.securityfocus.com/archive/1/493020/100/0/threaded http://www.securitytracker.com/id?1020166 http://www.vupen.com/english/advisories/2008 • CWE-20: Improper Input Validation •

CVSS: 7.1EPSS: 2%CPEs: 137EXPL: 0

The IAX2 channel driver (chan_iax2) in Asterisk 1.2 before revision 72630 and 1.4 before revision 65679, when configured to allow unauthenticated calls, sends "early audio" to an unverified source IP address of a NEW message, which allows remote attackers to cause a denial of service (traffic amplification) via a spoofed NEW message. El IAX2 channel driver (chan_iax2) en Asterisk 1.2 anterior a la revisión 72630 y 1.4 anterior a la revisión 65679, cuando está configurado para permitir llamadas sin autenticación, envía "early audio" a una IP sin verificar de un mensaje NEW, lo que permite a atacantes remotos provocar una denegación de servicio (amplificación del tráfico) a través de un mensaje NEW falseado. • http://bugs.digium.com/view.php?id=10078 http://downloads.digium.com/pub/security/AST-2008-006.html http://www.altsci.com/concepts/page.php?s=asteri&p=1 https://exchange.xforce.ibmcloud.com/vulnerabilities/42049 • CWE-16: Configuration •