CVE-2014-2288 — Improper Input Validation in Asterisk

CWE-20 — Improper Input Validation3 documents3 sources

Severity

4.3MEDIUMNVD

EPSS

7.5%

top 8.20%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Digium Asterisk Debian Asterisk

Timeline

PublishedApr 18

Latest updateMay 17

Description

The PJSIP channel driver in Asterisk Open Source 12.x before 12.1.1, when qualify_frequency "is enabled on an AOR and the remote SIP server challenges for authentication of the resulting OPTIONS request," allows remote attackers to cause a denial of service (crash) via a PJSIP endpoint that does not have an associated outgoing request.

CVSS vector

AV:N/AC:M/C:N/I:N/A:PExploitability: 8.6 | Impact: 2.9

Affected Packages2 packages

▶NVDdigium/asterisk12.0.0, 12.1.0+1

▶debiandebian/asterisk

Patches

Patch: downloads.asterisk.org ↗Patch: downloads.asterisk.org ↗

🔴Vulnerability Details

GHSA

GHSA-7qrh-j8hf-935p: The PJSIP channel driver in Asterisk Open Source 12↗2022-05-17

▶

📋Vendor Advisories

Debian

CVE-2014-2288: asterisk - The PJSIP channel driver in Asterisk Open Source 12.x before 12.1.1, when qualif...↗2014

▶