CVE-2013-5642 — Improper Input Validation in Asterisk

CWE-20 — Improper Input Validation6 documents6 sources

Severity

5.0MEDIUMNVD

EPSS

5.1%

top 10.19%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Digium Asterisk Digium Asterisk Digiumphones Digium Certified Asterisk

Timeline

PublishedSep 9

Latest updateMay 17

Description

The SIP channel driver (channels/chan_sip.c) in Asterisk Open Source 1.8.x before 1.8.23.1, 10.x before 10.12.3, and 11.x before 11.5.1; Certified Asterisk 1.8.15 before 1.8.15-cert3 and 11.2 before 11.2-cert2; and Asterisk Digiumphones 10.x-digiumphones before 10.12.3-digiumphones allows remote attackers to cause a denial of service (NULL pointer dereference, segmentation fault, and daemon crash) via an invalid SDP that defines a media description before the connection description in a SIP requ…

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages3 packages

▶NVDdigium/asterisk_digiumphones5 versions+4

▶NVDdigium/certified_asterisk1.8.15, 11.2.0+1

▶NVDdigium/asterisk25 versions+24

Patches

Patch: downloads.asterisk.org ↗Patch: downloads.asterisk.org ↗

🔴Vulnerability Details

GHSA

GHSA-mj2h-m66w-4g7r: The SIP channel driver (channels/chan_sip↗2022-05-17

▶

CVEList

CVE-2013-5642: The SIP channel driver (channels/chan_sip↗2013-09-09

▶

OSV

CVE-2013-5642: The SIP channel driver (channels/chan_sip↗2013-09-09

▶

📋Vendor Advisories

Debian

CVE-2013-5642: asterisk - The SIP channel driver (channels/chan_sip.c) in Asterisk Open Source 1.8.x befor...↗2013

▶

💬Community

Bugzilla

CVE-2013-5641 CVE-2013-5642 asterisk: two denial of service flaws in the SIP channel driver (AST-2013-004, AST-2013-005)↗2013-08-28

▶