CVE-2014-8414Asterisk vulnerability

CWE-3995 documents5 sources
Severity
5.0MEDIUMNVD
EPSS
1.9%
top 16.72%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Digium AsteriskDebian AsteriskDigium Certified Asterisk
Timeline
PublishedNov 24
Latest updateMay 17

Description

ConfBridge in Asterisk 11.x before 11.14.1 and Certified Asterisk 11.6 before 11.6-cert8 does not properly handle state changes, which allows remote attackers to cause a denial of service (channel hang and memory consumption) by causing transitions to be delayed, which triggers a state change from hung up to waiting for media.

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages4 packages

NVDdigium/certified_asterisk11.6, 11.6.0+1
debiandebian/asterisk< asterisk 1:13.1.0~dfsg-1 (bullseye)
Debiandigium/asterisk< 1:13.1.0~dfsg-1
NVDdigium/asterisk11.14.0

🔴Vulnerability Details

2
GHSA
GHSA-2mc6-x8h4-86rp: ConfBridge in Asterisk 112022-05-17
OSV
CVE-2014-8414: ConfBridge in Asterisk 112014-11-24

📋Vendor Advisories

1
Debian
CVE-2014-8414: asterisk - ConfBridge in Asterisk 11.x before 11.14.1 and Certified Asterisk 11.6 before 11...2014

💬Community

1
Bugzilla
CVE-2014-8414 asterisk: High call load may result in hung channels in ConfBridge [AST-2014-014]2014-11-21
CVE-2014-8414 — Debian Asterisk vulnerability | cvebase