CVE-2009-0871Improper Input Validation in Asterisk

CWE-20Improper Input Validation7 documents5 sources
Severity
3.5LOWNVD
EPSS
2.9%
top 13.53%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Digium AsteriskDebian Asterisk
Timeline
PublishedMar 11
Latest updateMay 2

Description

The SIP channel driver in Asterisk Open Source 1.4.22, 1.4.23, and 1.4.23.1; 1.6.0 before 1.6.0.6; 1.6.1 before 1.6.1.0-rc2; and Asterisk Business Edition C.2.3, with the pedantic option enabled, allows remote authenticated users to cause a denial of service (crash) via a SIP INVITE request without any headers, which triggers a NULL pointer dereference in the (1) sip_uri_headers_cmp and (2) sip_uri_params_cmp functions.

CVSS vector

AV:N/AC:M/C:N/I:N/A:PExploitability: 6.8 | Impact: 2.9

Affected Packages2 packages

NVDdigium/asterisk11 versions+10

Patches

Patch: downloads.digium.comPatch: www.securityfocus.comPatch: downloads.digium.com

🔴Vulnerability Details

1
GHSA
GHSA-v44g-p4wf-wh36: The SIP channel driver in Asterisk Open Source 12022-05-02

📋Vendor Advisories

2
Red Hat
asterisk: remote crash in SIP channel driver (AST-2009-002)2009-03-10
Debian
CVE-2009-0871: asterisk - The SIP channel driver in Asterisk Open Source 1.4.22, 1.4.23, and 1.4.23.1; 1.6...2009

💬Community

3
Bugzilla
CVE-2009-0871 asterisk: remote crash in SIP channel driver [F9]2009-03-11
Bugzilla
CVE-2009-0871 asterisk: remote crash in SIP channel driver [F10]2009-03-11
Bugzilla
CVE-2009-0871 asterisk: remote crash in SIP channel driver (AST-2009-002)2009-03-11