cbcvebase.
CVE-2013-2264
published 2013-04-01

CVE-2013-2264: The SIP channel driver in Asterisk Open Source 1.8.x before 1.8.20.2, 10.x before 10.12.2, and 11.x before 11.2.2; Certified Asterisk 1.8.15 before…

PriorityP426medium5CVSS 2.0
AVNACLAuNCPINAN
EPSS
1.25%
65.7th percentile
The SIP channel driver in Asterisk Open Source 1.8.x before 1.8.20.2, 10.x before 10.12.2, and 11.x before 11.2.2; Certified Asterisk 1.8.15 before 1.8.15-cert2; Asterisk Business Edition (BE) C.3.x before C.3.8.1; and Asterisk Digiumphones 10.x-digiumphones before 10.12.2-digiumphones exhibits different behavior for invalid INVITE, SUBSCRIBE, and REGISTER transactions depending on whether the user account exists, which allows remote attackers to enumerate account names by (1) reading HTTP status codes, (2) reading additional text in a 403 (aka Forbidden) response, or (3) observing whether certain retransmissions occur.

Affected

110 ranges· showing 25
VendorProductVersion rangeFixed in
asteriskbusiness_edition
asteriskbusiness_edition
asteriskbusiness_edition
asteriskcertified_asterisk
asteriskcertified_asterisk
asteriskcertified_asterisk>= 0 < 1:1.8.13.1~dfsg-21:1.8.13.1~dfsg-2
asteriskdigiumphones
asteriskdigiumphones
asteriskdigiumphones
asteriskdigiumphones
asteriskdigiumphones
asteriskdigiumphones
asteriskdigiumphones
asteriskdigiumphones
asteriskdigiumphones
asteriskdigiumphones
asteriskdigiumphones
asteriskdigiumphones
asteriskdigiumphones
asteriskdigiumphones
asteriskopen_source
asteriskopen_source
asteriskopen_source
asteriskopen_source
asteriskopen_source

CVSS provenance

nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv5.0MEDIUM
vendor_debian5.0LOW
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.