CVE-2015-1558 — Asterisk vulnerability

CWE-3995 documents5 sources

Severity

3.5LOWNVD

EPSS

17.5%

top 4.91%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Digium Asterisk Debian Asterisk

Timeline

PublishedFeb 9

Latest updateMay 14

Description

Asterisk Open Source 12.x before 12.8.1 and 13.x before 13.1.1, when using the PJSIP channel driver, does not properly reclaim RTP ports, which allows remote authenticated users to cause a denial of service (file descriptor consumption) via an SDP offer containing only incompatible codecs.

CVSS vector

AV:N/AC:M/C:N/I:N/A:PExploitability: 6.8 | Impact: 2.9

Affected Packages3 packages

▶debiandebian/asterisk< asterisk 1:13.1.0~dfsg-1.1 (bullseye)

▶Debiandigium/asterisk< 1:13.1.0~dfsg-1.1

▶NVDdigium/asterisk16 versions+15

🔴Vulnerability Details

GHSA

GHSA-c6qp-2qc4-4h58: Asterisk Open Source 12↗2022-05-14

▶

OSV

CVE-2015-1558: Asterisk Open Source 12↗2015-02-09

▶

📋Vendor Advisories

Debian

CVE-2015-1558: asterisk - Asterisk Open Source 12.x before 12.8.1 and 13.x before 13.1.1, when using the P...↗2015

▶

💬Community

Bugzilla

CVE-2015-1558 asterisk: file descriptor leak when incompatible codecs are offered (AST-2015-001)↗2015-01-29

▶