CVE-2012-3863Asterisk vulnerability

CWE-3998 documents5 sources
Severity
4.0MEDIUMNVD
EPSS
7.2%
top 8.39%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Digium AsteriskDebian AsteriskDigium Asterisk Business Edition+2 more
Timeline
PublishedJul 9
Latest updateMay 17

Description

channels/chan_sip.c in Asterisk Open Source 1.8.x before 1.8.13.1 and 10.x before 10.5.2, Asterisk Business Edition C.3.x before C.3.7.5, Certified Asterisk 1.8.11-certx before 1.8.11-cert4, and Asterisk Digiumphones 10.x.x-digiumphones before 10.5.2-digiumphones does not properly handle a provisional response to a SIP reINVITE request, which allows remote authenticated users to cause a denial of service (RTP port exhaustion) via sessions that lack final responses.

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 8.0 | Impact: 2.9

Affected Packages6 packages

NVDdigium/asterisk_business_editionc.3.1, c.3.3, c.3.7.4+2
debiandebian/asterisk< asterisk 1:1.8.13.1~dfsg-1 (bullseye)
Debiandigium/asterisk< 1:1.8.13.1~dfsg-1
NVDdigium/asterisk47 versions+46

Patches

Patch: downloads.asterisk.orgPatch: downloads.asterisk.org

🔴Vulnerability Details

2
GHSA
GHSA-6fc4-87xv-rxjx: channels/chan_sip2022-05-17
OSV
CVE-2012-3863: channels/chan_sip2012-07-09

📋Vendor Advisories

1
Debian
CVE-2012-3863: asterisk - channels/chan_sip.c in Asterisk Open Source 1.8.x before 1.8.13.1 and 10.x befor...2012

💬Community

4
Bugzilla
CVE-2012-3863 CVE-2012-3812 asterisk various flaws [fedora-16]2012-07-06
Bugzilla
CVE-2012-3863 asterisk: Possible resource leak on uncompleted re-invite transactions2012-07-06
Bugzilla
CVE-2012-3863 CVE-2012-3812 asterisk various flaws [fedora-17]2012-07-06
Bugzilla
CVE-2012-3863 CVE-2012-3812 asterisk various flaws [epel-6]2012-07-06
CVE-2012-3863 — Debian Asterisk vulnerability | cvebase