CVE-2011-4598 — Sensitive Information Exposure in Asterisk

CWE-200 — Sensitive Information Exposure5 documents5 sources

Severity

4.3MEDIUMNVD

EPSS

0.6%

top 29.59%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Digium Asterisk Debian Asterisk

Timeline

PublishedDec 15

Latest updateMay 17

Description

The handle_request_info function in channels/chan_sip.c in Asterisk Open Source 1.6.2.x before 1.6.2.21 and 1.8.x before 1.8.7.2, when automon is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted sequence of SIP requests.

CVSS vector

AV:N/AC:M/C:N/I:N/A:PExploitability: 8.6 | Impact: 2.9

Affected Packages3 packages

▶debiandebian/asterisk< asterisk 1:1.8.8.0~dfsg-1 (bullseye)

▶Debiandigium/asterisk< 1:1.8.8.0~dfsg-1

▶NVDdigium/asterisk42 versions+41

🔴Vulnerability Details

GHSA

GHSA-w869-x8wp-7hr5: The handle_request_info function in channels/chan_sip↗2022-05-17

▶

OSV

CVE-2011-4598: The handle_request_info function in channels/chan_sip↗2011-12-15

▶

📋Vendor Advisories

Debian

CVE-2011-4598: asterisk - The handle_request_info function in channels/chan_sip.c in Asterisk Open Source ...↗2011

▶

💬Community

Bugzilla

CVE-2011-4598 asterisk: NULL pointer dereference (crash) when processing INFO automon message with no channel (AST-2011-014)↗2011-12-09

▶