CVE-2017-14099 — Sensitive Information Exposure in Asterisk

CWE-200 — Sensitive Information Exposure7 documents5 sources

Severity

7.5HIGHNVD

EPSS

0.4%

top 41.28%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Digium Asterisk Debian Asterisk Digium Certified Asterisk

Timeline

PublishedSep 2

Latest updateMay 17

Description

In res/res_rtp_asterisk.c in Asterisk 11.x before 11.25.2, 13.x before 13.17.1, and 14.x before 14.6.1 and Certified Asterisk 11.x before 11.6-cert17 and 13.x before 13.13-cert5, unauthorized data disclosure (media takeover in the RTP stack) is possible with careful timing by an attacker. The "strictrtp" option in rtp.conf enables a feature of the RTP stack that learns the source address of media for a session and drops any packets that do not originate from the expected address. This option is …

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶NVDdigium/certified_asterisk11.6, 13.13+1

▶debiandebian/asterisk< asterisk 1:13.17.1~dfsg-1 (bullseye)

▶Debiandigium/asterisk< 1:13.17.1~dfsg-1

▶NVDdigium/asterisk101 versions+100

Patches

Patch: bugs.debian.org ↗Patch: issues.asterisk.org ↗Patch: bugs.debian.org ↗

🔴Vulnerability Details

GHSA

GHSA-4q58-999f-6rpw: In res/res_rtp_asterisk↗2022-05-17

▶

OSV

CVE-2017-14099: In res/res_rtp_asterisk↗2017-09-02

▶

📋Vendor Advisories

Debian

CVE-2017-14099: asterisk - In res/res_rtp_asterisk.c in Asterisk 11.x before 11.25.2, 13.x before 13.17.1, ...↗2017

▶

💬Community

Bugzilla

CVE-2017-14098 CVE-2017-14099 CVE-2017-14100 asterisk: Multiple vulnerabilities [fedora-all]↗2017-09-04

▶

Bugzilla

CVE-2017-14098 CVE-2017-14099 CVE-2017-14100 asterisk: Multiple vulnerabilities [epel-6]↗2017-09-04

▶

Bugzilla

CVE-2017-14098 CVE-2017-14099 CVE-2017-14100 asterisk: Multiple vulnerabilities↗2017-09-04

▶