CVE-2009-3727 — Sensitive Information Exposure in Asterisk

CWE-200 — Sensitive Information Exposure7 documents6 sources

Severity

5.0MEDIUMNVD

EPSS

0.7%

top 27.50%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Digium Asterisk Debian Asterisk Digium Asterisknow +1 more

Timeline

PublishedNov 10

Latest updateMay 2

Description

Asterisk Open Source 1.2.x before 1.2.35, 1.4.x before 1.4.26.3, 1.6.0.x before 1.6.0.17, and 1.6.1.x before 1.6.1.9; Business Edition A.x.x, B.x.x before B.2.5.12, C.2.x.x before C.2.4.5, and C.3.x.x before C.3.2.2; AsteriskNOW 1.5; and s800i 1.3.x before 1.3.0.5 generate different error messages depending on whether a SIP username is valid, which allows remote attackers to enumerate valid usernames via multiple crafted REGISTER messages with inconsistent usernames in the URI in the To header a…

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages5 packages

▶NVDdigium/asterisknow1.5

▶debiandebian/asterisk< asterisk 1:1.6.2.0~rc6-1 (bullseye)

▶Debiandigium/asterisk< 1:1.6.2.0~rc6-1

▶NVDdigium/s800i4 versions+3

▶NVDdigium/asterisk128 versions+127

Patches

Patch: www.securityfocus.com ↗Patch: www.securityfocus.com ↗

🔴Vulnerability Details

GHSA

GHSA-827c-j6w2-8fg4: Asterisk Open Source 1↗2022-05-02

▶

OSV

CVE-2009-3727: Asterisk Open Source 1↗2009-11-10

▶

📋Vendor Advisories

Red Hat

Asterisk: SIP responses expose valid usernames (AST-2009-008)↗2009-11-04

▶

Debian

CVE-2009-3727: asterisk - Asterisk Open Source 1.2.x before 1.2.35, 1.4.x before 1.4.26.3, 1.6.0.x before ...↗2009

▶

💬Community

Bugzilla

CVE-2011-3727 dokuwiki: installation path disclosure via a direct request to a .php file↗2011-09-26

▶

Bugzilla

CVE-2009-3727 Asterisk: SIP responses expose valid usernames (AST-2009-008)↗2009-11-05

▶