Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2008-2119 — Improper Input Validation in Asterisk

CWE-20 — Improper Input Validation5 documents5 sources

Severity

4.3MEDIUMNVD

EPSS

10.1%

top 6.87%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Asterisk Business Edition Debian Asterisk Asterisk Open Source

Timeline

PublishedJun 4

Latest updateMay 1

Description

Asterisk Open Source 1.0.x and 1.2.x before 1.2.29 and Business Edition A.x.x and B.x.x before B.2.5.3, when pedantic parsing (aka pedanticsipchecking) is enabled, allows remote attackers to cause a denial of service (daemon crash) via a SIP INVITE message that lacks a From header, related to invocations of the ast_uri_decode function, and improper handling of (1) an empty const string and (2) a NULL pointer.

CVSS vector

AV:N/AC:M/C:N/I:N/A:PExploitability: 8.6 | Impact: 2.9

Affected Packages4 packages

▶Debianasterisk/asterisk_business_edition< 1.4

▶NVDasterisk/open_source1.2.28+41

▶NVDasterisk/asterisk_business_editionb2.5.2+10

▶debiandebian/asterisk< asterisk 1.4 (bullseye)

🔴Vulnerability Details

GHSA

GHSA-rh4w-35r5-ffvh: Asterisk Open Source 1↗2022-05-01

▶

OSV

CVE-2008-2119: Asterisk Open Source 1↗2008-06-04

▶

💥Exploits & PoCs

Exploit-DB

Asterisk 1.2.x - SIP channel driver / in pedantic mode Remote Crash↗2008-06-05

▶

📋Vendor Advisories

Debian

CVE-2008-2119: asterisk - Asterisk Open Source 1.0.x and 1.2.x before 1.2.29 and Business Edition A.x.x an...↗2008

▶