CVE-2014-2286
published 2014-04-18CVE-2014-2286: main/http.c in Asterisk Open Source 1.8.x before 1.8.26.1, 11.8.x before 11.8.1, and 12.1.x before 12.1.1, and Certified Asterisk 1.8.x before 1.8.15-cert5 and…
PriorityP350high7.5CVSS 2.0
AVNACLAuNCPIPAP
EPSS
16.26%
96.6th percentile
main/http.c in Asterisk Open Source 1.8.x before 1.8.26.1, 11.8.x before 11.8.1, and 12.1.x before 12.1.1, and Certified Asterisk 1.8.x before 1.8.15-cert5 and 11.6 before 11.6-cert2, allows remote attackers to cause a denial of service (stack consumption) and possibly execute arbitrary code via an HTTP request with a large number of Cookie headers.
Affected
85 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | asterisk | < asterisk 1:11.8.1~dfsg-1 (bullseye) | asterisk 1:11.8.1~dfsg-1 (bullseye) |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
| digium | asterisk | — | — |
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-v4h6-4vfg-m45q: main/http
ghsa_unreviewed·2022-05-17
CVE-2014-2286 [HIGH] CWE-20 GHSA-v4h6-4vfg-m45q: main/http
main/http.c in Asterisk Open Source 1.8.x before 1.8.26.1, 11.8.x before 11.8.1, and 12.1.x before 12.1.1, and Certified Asterisk 1.8.x before 1.8.15-cert5 and 11.6 before 11.6-cert2, allows remote attackers to cause a denial of service (stack consumption) and possibly execute arbitrary code via an HTTP request with a large number of Cookie headers.
OSV
CVE-2014-2286: main/http
osv·2014-04-18·CVSS 7.5
CVE-2014-2286 [HIGH] CVE-2014-2286: main/http
main/http.c in Asterisk Open Source 1.8.x before 1.8.26.1, 11.8.x before 11.8.1, and 12.1.x before 12.1.1, and Certified Asterisk 1.8.x before 1.8.15-cert5 and 11.6 before 11.6-cert2, allows remote attackers to cause a denial of service (stack consumption) and possibly execute arbitrary code via an HTTP request with a large number of Cookie headers.
Debian
CVE-2014-2286: asterisk - main/http.c in Asterisk Open Source 1.8.x before 1.8.26.1, 11.8.x before 11.8.1,...
vendor_debian·2014·CVSS 7.5
CVE-2014-2286 [HIGH] CVE-2014-2286: asterisk - main/http.c in Asterisk Open Source 1.8.x before 1.8.26.1, 11.8.x before 11.8.1,...
main/http.c in Asterisk Open Source 1.8.x before 1.8.26.1, 11.8.x before 11.8.1, and 12.1.x before 12.1.1, and Certified Asterisk 1.8.x before 1.8.15-cert5 and 11.6 before 11.6-cert2, allows remote attackers to cause a denial of service (stack consumption) and possibly execute arbitrary code via an HTTP request with a large number of Cookie headers.
Scope: local
bullseye: resolved (fixed in 1:11.8.1~dfsg-1)
sid: resolved (fixed in 1:11.8.1~dfsg-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2014-2286 CVE-2014-2287 asterisk: various flaws [epel-6]
bugzilla·2014-03-11·CVSS 7.5
CVE-2014-2286 [HIGH] CVE-2014-2286 CVE-2014-2287 asterisk: various flaws [epel-6]
CVE-2014-2286 CVE-2014-2287 asterisk: various flaws [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
epel-6 tracking bug for asterisk: see b
Bugzilla
CVE-2014-2286 asterisk: cookie processing stack overflow (AST-2014-001)
bugzilla·2014-03-11·CVSS 7.5
CVE-2014-2286 [HIGH] CVE-2014-2286 asterisk: cookie processing stack overflow (AST-2014-001)
CVE-2014-2286 asterisk: cookie processing stack overflow (AST-2014-001)
A stack overflow flaw was found in Asterisk's cookie processing. A remote attacker could send specially-crafted requests that would cause Asterisk to consume a large amount of memory, crash, or, potentially, execute arbitrary code. This issue affected all 1.8.x and 11.x versions. It has been corrected in versions 1.8.26.1 and 11.8.1.
Upstream patches:
http://downloads.asterisk.org/pub/security/AST-2014-001-1.8.diff
http://downloads.asterisk.org/pub/security/AST-2014-001-11.diff
External References:
http://downloads.asterisk.org/pub/security/AST-2014-001.html
Discussion:
Created asterisk tracking bugs for this issue:
Affects: fedora-all [bug 1074828]
Affects: epel-6 [bug 1074829]
---
asterisk-11.8.1-1.fc19 has b
Bugzilla
CVE-2014-2286 CVE-2014-2287 asterisk: various flaws [fedora-all]
bugzilla·2014-03-11·CVSS 7.5
CVE-2014-2286 [HIGH] CVE-2014-2286 CVE-2014-2287 asterisk: various flaws [fedora-all]
CVE-2014-2286 CVE-2014-2287 asterisk: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please note: this issue affects multiple
http://downloads.asterisk.org/pub/security/AST-2014-001-1.8.diffhttp://downloads.asterisk.org/pub/security/AST-2014-001.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2014-March/130400.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2014-March/130426.htmlhttp://www.mandriva.com/security/advisories?name=MDVSA-2014:078http://www.securityfocus.com/bid/66093https://issues.asterisk.org/jira/browse/ASTERISK-23340http://downloads.asterisk.org/pub/security/AST-2014-001-1.8.diffhttp://downloads.asterisk.org/pub/security/AST-2014-001.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2014-March/130400.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2014-March/130426.htmlhttp://www.mandriva.com/security/advisories?name=MDVSA-2014:078http://www.securityfocus.com/bid/66093https://issues.asterisk.org/jira/browse/ASTERISK-23340
2014-04-18
Published