CVE-2014-2287Improper Input Validation in Asterisk

CWE-20Improper Input Validation7 documents5 sources
Severity
3.5LOWNVD
EPSS
5.2%
top 10.05%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Digium AsteriskDebian AsteriskDigium Certified Asterisk+1 more
Timeline
PublishedApr 18
Latest updateMay 17

Description

channels/chan_sip.c in Asterisk Open Source 1.8.x before 1.8.26.1, 11.8.x before 11.8.1, and 12.1.x before 12.1.1, and Certified Asterisk 1.8.15 before 1.8.15-cert5 and 11.6 before 11.6-cert2, when chan_sip has a certain configuration, allows remote authenticated users to cause a denial of service (channel and file descriptor consumption) via an INVITE request with a (1) Session-Expires or (2) Min-SE header with a malformed or invalid value.

CVSS vector

AV:N/AC:M/C:N/I:N/A:PExploitability: 6.8 | Impact: 2.9

Affected Packages4 packages

NVDdigium/certified_asterisk18 versions+17
debiandebian/asterisk< asterisk 1:11.8.1~dfsg-1 (bullseye)
Debiandigium/asterisk< 1:11.8.1~dfsg-1
NVDdigium/asterisk63 versions+62

Also affects: Fedora 19, 20

Patches

Patch: downloads.asterisk.orgPatch: downloads.asterisk.orgPatch: downloads.asterisk.org

🔴Vulnerability Details

2
GHSA
GHSA-8x96-f2vc-6qpf: channels/chan_sip2022-05-17
OSV
CVE-2014-2287: channels/chan_sip2014-04-18

📋Vendor Advisories

1
Debian
CVE-2014-2287: asterisk - channels/chan_sip.c in Asterisk Open Source 1.8.x before 1.8.26.1, 11.8.x before...2014

💬Community

3
Bugzilla
CVE-2014-2286 CVE-2014-2287 asterisk: various flaws [epel-6]2014-03-11
Bugzilla
CVE-2014-2287 asterisk: remote denial of service via file descriptor exhaustion (AST-2014-002)2014-03-11
Bugzilla
CVE-2014-2286 CVE-2014-2287 asterisk: various flaws [fedora-all]2014-03-11
CVE-2014-2287 — Improper Input Validation in Asterisk | cvebase