CVE-2008-3903 — Sensitive Information Exposure in Asterisk

CWE-200 — Sensitive Information Exposure6 documents6 sources

Severity

3.5LOWNVD

EPSS

0.7%

top 27.27%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Asterisk Asterisk P B X Trixbox PBX

Timeline

PublishedSep 4

Latest updateMay 2

Description

Asterisk Open Source 1.2.x before 1.2.32, 1.4.x before 1.4.24.1, and 1.6.0.x before 1.6.0.8; Asterisk Business Edition A.x.x, B.x.x before B.2.5.8, C.1.x.x before C.1.10.5, and C.2.x.x before C.2.3.3; s800i 1.3.x before 1.3.0.2; and Trixbox PBX 2.6.1, when Digest authentication and authalwaysreject are enabled, generates different responses depending on whether a SIP username is valid, which allows remote attackers to enumerate valid usernames.

CVSS vector

AV:N/AC:M/C:P/I:N/A:NExploitability: 6.8 | Impact: 2.9

Affected Packages3 packages

▶debiandebian/asterisk< asterisk 1:1.6.1.0~dfsg-1 (bullseye)

▶NVDasterisk/p_b_x4 versions+3

▶NVDtrixbox/pbx2.6.1

🔴Vulnerability Details

GHSA

GHSA-m5r8-ppgr-h5vx: Asterisk Open Source 1↗2022-05-02

▶

OSV

CVE-2008-3903: Asterisk Open Source 1↗2008-09-04

▶

📋Vendor Advisories

Debian

CVE-2008-3903: asterisk - Asterisk Open Source 1.2.x before 1.2.32, 1.4.x before 1.4.24.1, and 1.6.0.x bef...↗2008

▶

Red Hat

asterisk: SIP valid account enumeration flaw↗

▶

💬Community

Bugzilla

CVE-2008-3903 asterisk: SIP valid account enumeration flaw↗2008-09-05

▶