CVE-2013-2264 — Sensitive Information Exposure in Asterisk

CWE-200 — Sensitive Information Exposure8 documents5 sources

Severity

5.0MEDIUMNVD

EPSS

0.2%

top 61.71%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Asterisk Certified Asterisk Debian Asterisk Asterisk Business Edition +2 more

Timeline

PublishedApr 1

Latest updateMay 17

Description

The SIP channel driver in Asterisk Open Source 1.8.x before 1.8.20.2, 10.x before 10.12.2, and 11.x before 11.2.2; Certified Asterisk 1.8.15 before 1.8.15-cert2; Asterisk Business Edition (BE) C.3.x before C.3.8.1; and Asterisk Digiumphones 10.x-digiumphones before 10.12.2-digiumphones exhibits different behavior for invalid INVITE, SUBSCRIBE, and REGISTER transactions depending on whether the user account exists, which allows remote attackers to enumerate account names by (1) reading HTTP statu…

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages6 packages

▶NVDasterisk/digiumphones14 versions+13

▶NVDasterisk/open_source89 versions+88

▶NVDasterisk/business_editionc.3.2.2, c.3.3, c.3.3.2+2

▶Debianasterisk/certified_asterisk< 1:1.8.13.1~dfsg-2

▶NVDasterisk/certified_asterisk1.8.15, 1.8.15.0+1

🔴Vulnerability Details

GHSA

GHSA-79cp-774x-5w3c: The SIP channel driver in Asterisk Open Source 1↗2022-05-17

▶

OSV

CVE-2013-2264: The SIP channel driver in Asterisk Open Source 1↗2013-04-01

▶

📋Vendor Advisories

Debian

CVE-2013-2264: asterisk - The SIP channel driver in Asterisk Open Source 1.8.x before 1.8.20.2, 10.x befor...↗2013

▶

💬Community

Bugzilla

CVE-2013-2686 CVE-2013-2264 asterisk various flaws [epel-6]↗2013-03-28

▶

Bugzilla

CVE-2013-2686 CVE-2013-2264 asterisk various flaws [fedora-17]↗2013-03-28

▶

Bugzilla

CVE-2013-2264 asterisk: Username disclosure in SIP channel driver (AST-2013-003)↗2013-03-28

▶

Bugzilla

CVE-2013-2685 CVE-2013-2686 CVE-2013-2264 asterisk: various flaws [fedora-18]↗2013-03-27

▶