CVE-2017-16671
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
A Buffer Overflow issue was discovered in Asterisk Open Source 13 before 13.18.1, 14 before 14.7.1, and 15 before 15.1.1 and Certified Asterisk 13.13 before 13.13-cert7. No size checking is done when setting the user field for Party B on a CDR. Thus, it is possible for someone to use an arbitrarily large string and write past the end of the user field storage buffer. NOTE: this is different from CVE-2017-7617, which was only about the Party A buffer.
Una vulnerabilidad de desbordamiento de búfer se descubrió en Asterisk Open Source en versiones 13 anteriores a la 13.18.1, versiones 14 anteriores a la 14.7.1 y versiones 15 antes de la 15.1.1 y en Certified Asterisk 13.13 en versiones anteriores a la 13.13-cert7. No se realizan chequeos de tamaño cuando se configura el campo user para Party B en un CDR. Por ello, es posible que alguien utilice una cadena arbitraria con una longitud larga y escriba más allá del final del búfer de almacenamiento del campo user. NOTA: esta vulnerabilidad es diferente de CVE-2017-7617, que solo trataba del búfer Party A.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2017-11-08 CVE Reserved
- 2017-11-09 CVE Published
- 2023-03-07 EPSS Updated
- 2024-08-05 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
CAPEC
References (5)
| URL | Tag | Source |
|---|---|---|
| http://www.securityfocus.com/bid/101760 | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://downloads.digium.com/pub/security/AST-2017-010.html | 2018-11-25 | |
| https://issues.asterisk.org/jira/browse/ASTERISK-27337 | 2018-11-25 | |
| https://security.gentoo.org/glsa/201811-11 | 2018-11-25 | |
| https://www.debian.org/security/2017/dsa-4076 | 2018-11-25 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Digium Search vendor "Digium" | Asterisk Search vendor "Digium" for product "Asterisk" | >= 13.0.0 < 13.18.1 Search vendor "Digium" for product "Asterisk" and version " >= 13.0.0 < 13.18.1" | - |
Affected
| ||||||
| Digium Search vendor "Digium" | Asterisk Search vendor "Digium" for product "Asterisk" | >= 14.0.0 < 14.7.1 Search vendor "Digium" for product "Asterisk" and version " >= 14.0.0 < 14.7.1" | - |
Affected
| ||||||
| Digium Search vendor "Digium" | Asterisk Search vendor "Digium" for product "Asterisk" | >= 15.0.0 < 15.1.1 Search vendor "Digium" for product "Asterisk" and version " >= 15.0.0 < 15.1.1" | - |
Affected
| ||||||
| Digium Search vendor "Digium" | Certified Asterisk Search vendor "Digium" for product "Certified Asterisk" | 13.13.0 Search vendor "Digium" for product "Certified Asterisk" and version "13.13.0" | - |
Affected
| ||||||
| Digium Search vendor "Digium" | Certified Asterisk Search vendor "Digium" for product "Certified Asterisk" | 13.13.0 Search vendor "Digium" for product "Certified Asterisk" and version "13.13.0" | cert1 |
Affected
| ||||||
| Digium Search vendor "Digium" | Certified Asterisk Search vendor "Digium" for product "Certified Asterisk" | 13.13.0 Search vendor "Digium" for product "Certified Asterisk" and version "13.13.0" | cert1_rc1 |
Affected
| ||||||
| Digium Search vendor "Digium" | Certified Asterisk Search vendor "Digium" for product "Certified Asterisk" | 13.13.0 Search vendor "Digium" for product "Certified Asterisk" and version "13.13.0" | cert1_rc2 |
Affected
| ||||||
| Digium Search vendor "Digium" | Certified Asterisk Search vendor "Digium" for product "Certified Asterisk" | 13.13.0 Search vendor "Digium" for product "Certified Asterisk" and version "13.13.0" | cert1_rc3 |
Affected
| ||||||
| Digium Search vendor "Digium" | Certified Asterisk Search vendor "Digium" for product "Certified Asterisk" | 13.13.0 Search vendor "Digium" for product "Certified Asterisk" and version "13.13.0" | cert1_rc4 |
Affected
| ||||||
| Digium Search vendor "Digium" | Certified Asterisk Search vendor "Digium" for product "Certified Asterisk" | 13.13.0 Search vendor "Digium" for product "Certified Asterisk" and version "13.13.0" | cert2 |
Affected
| ||||||
| Digium Search vendor "Digium" | Certified Asterisk Search vendor "Digium" for product "Certified Asterisk" | 13.13.0 Search vendor "Digium" for product "Certified Asterisk" and version "13.13.0" | cert3 |
Affected
| ||||||
| Digium Search vendor "Digium" | Certified Asterisk Search vendor "Digium" for product "Certified Asterisk" | 13.13.0 Search vendor "Digium" for product "Certified Asterisk" and version "13.13.0" | cert4 |
Affected
| ||||||
| Digium Search vendor "Digium" | Certified Asterisk Search vendor "Digium" for product "Certified Asterisk" | 13.13.0 Search vendor "Digium" for product "Certified Asterisk" and version "13.13.0" | cert5 |
Affected
| ||||||
| Digium Search vendor "Digium" | Certified Asterisk Search vendor "Digium" for product "Certified Asterisk" | 13.13.0 Search vendor "Digium" for product "Certified Asterisk" and version "13.13.0" | cert6 |
Affected
| ||||||