CVE-2015-3008Asterisk vulnerability

CWE-3107 documents5 sources
Severity
4.3MEDIUMNVD
EPSS
39.0%
top 2.72%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Digium AsteriskDebian AsteriskDigium Certified Asterisk
Timeline
PublishedApr 10
Latest updateMay 14

Description

Asterisk Open Source 1.8 before 1.8.32.3, 11.x before 11.17.1, 12.x before 12.8.2, and 13.x before 13.3.2 and Certified Asterisk 1.8.28 before 1.8.28-cert5, 11.6 before 11.6-cert11, and 13.1 before 13.1-cert2, when registering a SIP TLS device, does not properly handle a null byte in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification A

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages4 packages

NVDdigium/certified_asterisk22 versions+21
debiandebian/asterisk< asterisk 1:13.7.2~dfsg-1 (bullseye)
Debiandigium/asterisk< 1:13.7.2~dfsg-1
NVDdigium/asterisk95 versions+94

🔴Vulnerability Details

2
GHSA
GHSA-j3c8-xv8h-h8mv: Asterisk Open Source 12022-05-14
OSV
CVE-2015-3008: Asterisk Open Source 12015-04-10

📋Vendor Advisories

1
Debian
CVE-2015-3008: asterisk - Asterisk Open Source 1.8 before 1.8.32.3, 11.x before 11.17.1, 12.x before 12.8....2015

💬Community

3
Bugzilla
CVE-2015-3008 asterisk: TLS Certificate Common name NULL byte exploit [fedora-all]2015-04-09
Bugzilla
CVE-2015-3008 asterisk: TLS Certificate Common name NULL byte exploit2015-04-09
Bugzilla
CVE-2015-3008 asterisk: TLS Certificate Common name NULL byte exploit [epel-6]2015-04-09
CVE-2015-3008 — Debian Asterisk vulnerability | cvebase