CVE-2016-9938 — Improper Authorization in Asterisk

CWE-285 — Improper Authorization7 documents5 sources

Severity

5.3MEDIUMNVD

EPSS

1.4%

top 19.39%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Digium Asterisk Debian Asterisk Digium Certified Asterisk

Timeline

PublishedDec 12

Latest updateMay 17

Description

An issue was discovered in Asterisk Open Source 11.x before 11.25.1, 13.x before 13.13.1, and 14.x before 14.2.1 and Certified Asterisk 11.x before 11.6-cert16 and 13.x before 13.8-cert4. The chan_sip channel driver has a liberal definition for whitespace when attempting to strip the content between a SIP header name and a colon character. Rather than following RFC 3261 and stripping only spaces and horizontal tabs, Asterisk treats any non-printable ASCII character as if it were whitespace. This…

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages4 packages

▶NVDdigium/certified_asterisk8 versions+7

▶debiandebian/asterisk< asterisk 1:13.13.1~dfsg-1 (bullseye)

▶Debiandigium/asterisk< 1:13.13.1~dfsg-1

▶NVDdigium/asterisk83 versions+82

🔴Vulnerability Details

GHSA

GHSA-4h4c-qgxg-p3qv: An issue was discovered in Asterisk Open Source 11↗2022-05-17

▶

OSV

CVE-2016-9938: An issue was discovered in Asterisk Open Source 11↗2016-12-12

▶

📋Vendor Advisories

Debian

CVE-2016-9938: asterisk - An issue was discovered in Asterisk Open Source 11.x before 11.25.1, 13.x before...↗2016

▶

💬Community

Bugzilla

CVE-2016-9938 asterisk: Authentication Bypass due to improper content stripping↗2016-12-12

▶

Bugzilla

CVE-2016-9938 asterisk: Authentication Bypass due to improper content stripping [epel-6]↗2016-12-12

▶

Bugzilla

CVE-2016-9938 asterisk: Authentication Bypass due to improper content stripping [fedora-all]↗2016-12-12

▶