CVE-2017-14603 — Sensitive Information Exposure in Asterisk

CWE-200 — Sensitive Information Exposure7 documents5 sources

Severity

7.5HIGHNVD

EPSS

0.7%

top 26.88%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Digium Asterisk Debian Asterisk Digium Certified Asterisk

Timeline

PublishedOct 10

Latest updateMay 17

Description

In Asterisk 11.x before 11.25.3, 13.x before 13.17.2, and 14.x before 14.6.2 and Certified Asterisk 11.x before 11.6-cert18 and 13.x before 13.13-cert6, insufficient RTCP packet validation could allow reading stale buffer contents and when combined with the "nat" and "symmetric_rtp" options allow redirecting where Asterisk sends the next RTCP report.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶NVDdigium/certified_asterisk11.6, 13.13+1

▶debiandebian/asterisk< asterisk 1:13.17.2~dfsg-1 (bullseye)

▶Debiandigium/asterisk< 1:13.17.2~dfsg-1

▶NVDdigium/asterisk101 versions+100

🔴Vulnerability Details

GHSA

GHSA-p6hc-c268-h4wx: In Asterisk 11↗2022-05-17

▶

OSV

CVE-2017-14603: In Asterisk 11↗2017-10-10

▶

📋Vendor Advisories

Debian

CVE-2017-14603: asterisk - In Asterisk 11.x before 11.25.3, 13.x before 13.17.2, and 14.x before 14.6.2 and...↗2017

▶

💬Community

Bugzilla

CVE-2017-14603 asterisk: RTP/RTCP information leak↗2017-09-20

▶

Bugzilla

CVE-2017-14603 asterisk: RTP/RTCP information leak [fedora-all]↗2017-09-20

▶

Bugzilla

CVE-2017-14603 asterisk: RTP/RTCP information leak [epel-6]↗2017-09-20

▶