CVE-2024-35190
Asterisk' res_pjsip_endpoint_identifier_ip: wrongly matches ALL unauthorized SIP requests
Severity Score
5.8
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
Attend
*SSVC
Descriptions
Asterisk is an open source private branch exchange and telephony toolkit. After upgrade to 18.23.0, ALL unauthorized SIP requests are identified as PJSIP Endpoint of local asterisk server. This vulnerability is fixed in 18.23.1, 20.8.1, and 21.3.1.
Asterisk es un conjunto de herramientas de telefonía y centralita privada de código abierto. Después de la actualización a 18.23.0, TODAS las solicitudes SIP no autorizadas se identifican como endpoint PJSIP del servidor asterisk local. Esta vulnerabilidad se solucionó en 18.23.1, 20.8.1 y 21.3.1.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Attend
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2024-05-10 CVE Reserved
- 2024-05-17 CVE Published
- 2024-05-18 EPSS Updated
- 2024-08-02 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-303: Incorrect Implementation of Authentication Algorithm
- CWE-480: Use of Incorrect Operator
- CWE-670: Always-Incorrect Control Flow Implementation
CAPEC
References (4)
| URL | Tag | Source |
|---|---|---|
| https://github.com/asterisk/asterisk/commit/85241bd22936cc15760fd1f65d16c98be7aeaf6d | X_refsource_misc | |
| https://github.com/asterisk/asterisk/pull/600 | X_refsource_misc | |
| https://github.com/asterisk/asterisk/pull/602 | X_refsource_misc | |
| https://github.com/asterisk/asterisk/security/advisories/GHSA-qqxj-v78h-hrf9 | X_refsource_confirm |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Asterisk Search vendor "Asterisk" | Asterisk Search vendor "Asterisk" for product "Asterisk" | 21.3.0 Search vendor "Asterisk" for product "Asterisk" and version "21.3.0" | en |
Affected
| ||||||
| Asterisk Search vendor "Asterisk" | Asterisk Search vendor "Asterisk" for product "Asterisk" | 20.8.0 Search vendor "Asterisk" for product "Asterisk" and version "20.8.0" | en |
Affected
| ||||||
| Asterisk Search vendor "Asterisk" | Asterisk Search vendor "Asterisk" for product "Asterisk" | 18.23.0 Search vendor "Asterisk" for product "Asterisk" and version "18.23.0" | en |
Affected
| ||||||