CVE-2013-2686 — Improper Restriction of Operations within the Bounds of a Memory Buffer in Asterisk

CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer8 documents5 sources

Severity

5.0MEDIUMNVD

EPSS

2.4%

top 14.79%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Asterisk Certified Asterisk Debian Asterisk Asterisk Digiumphones +1 more

Timeline

PublishedApr 1

Latest updateMay 17

Description

main/http.c in the HTTP server in Asterisk Open Source 1.8.x before 1.8.20.2, 10.x before 10.12.2, and 11.x before 11.2.2; Certified Asterisk 1.8.15 before 1.8.15-cert2; and Asterisk Digiumphones 10.x-digiumphones before 10.12.2-digiumphones does not properly restrict Content-Length values, which allows remote attackers to conduct stack-consumption attacks and cause a denial of service (daemon crash) via a crafted HTTP POST request. NOTE: this vulnerability exists because of an incorrect fix for…

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages5 packages

▶NVDasterisk/digiumphones14 versions+13

▶NVDasterisk/open_source89 versions+88

▶Debianasterisk/certified_asterisk< 1:1.8.13.1~dfsg-2

▶NVDasterisk/certified_asterisk1.8.15, 1.8.15.0+1

▶debiandebian/asterisk< asterisk 1:1.8.13.1~dfsg-2 (bullseye)

🔴Vulnerability Details

GHSA

GHSA-32mc-px3q-67r4: main/http↗2022-05-17

▶

OSV

CVE-2013-2686: main/http↗2013-04-01

▶

📋Vendor Advisories

Debian

CVE-2013-2686: asterisk - main/http.c in the HTTP server in Asterisk Open Source 1.8.x before 1.8.20.2, 10...↗2013

▶

💬Community

Bugzilla

CVE-2013-2686 CVE-2013-2264 asterisk various flaws [epel-6]↗2013-03-28

▶

Bugzilla

CVE-2013-2686 CVE-2013-2264 asterisk various flaws [fedora-17]↗2013-03-28

▶

Bugzilla

CVE-2013-2686 asterisk: DoS in the HTTP server (AST-2013-002)↗2013-03-28

▶

Bugzilla

CVE-2013-2685 CVE-2013-2686 CVE-2013-2264 asterisk: various flaws [fedora-18]↗2013-03-27

▶