CVE-2014-2286 — Improper Input Validation in Asterisk

CWE-20 — Improper Input Validation7 documents5 sources

Severity

7.5HIGHNVD

EPSS

14.8%

top 5.48%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Digium Asterisk Debian Asterisk Digium Certified Asterisk +1 more

Timeline

PublishedApr 18

Latest updateMay 17

Description

main/http.c in Asterisk Open Source 1.8.x before 1.8.26.1, 11.8.x before 11.8.1, and 12.1.x before 12.1.1, and Certified Asterisk 1.8.x before 1.8.15-cert5 and 11.6 before 11.6-cert2, allows remote attackers to cause a denial of service (stack consumption) and possibly execute arbitrary code via an HTTP request with a large number of Cookie headers.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages4 packages

▶NVDdigium/certified_asterisk18 versions+17

▶debiandebian/asterisk< asterisk 1:11.8.1~dfsg-1 (bullseye)

▶Debiandigium/asterisk< 1:11.8.1~dfsg-1

▶NVDdigium/asterisk63 versions+62

Also affects: Fedora 19, 20

Patches

Patch: downloads.asterisk.org ↗Patch: downloads.asterisk.org ↗Patch: downloads.asterisk.org ↗

🔴Vulnerability Details

GHSA

GHSA-v4h6-4vfg-m45q: main/http↗2022-05-17

▶

OSV

CVE-2014-2286: main/http↗2014-04-18

▶

📋Vendor Advisories

Debian

CVE-2014-2286: asterisk - main/http.c in Asterisk Open Source 1.8.x before 1.8.26.1, 11.8.x before 11.8.1,...↗2014

▶

💬Community

Bugzilla

CVE-2014-2286 CVE-2014-2287 asterisk: various flaws [epel-6]↗2014-03-11

▶

Bugzilla

CVE-2014-2286 asterisk: cookie processing stack overflow (AST-2014-001)↗2014-03-11

▶

Bugzilla

CVE-2014-2286 CVE-2014-2287 asterisk: various flaws [fedora-all]↗2014-03-11

▶