cbcvebase.
CVE-2017-16671
published 2017-11-09

CVE-2017-16671: A Buffer Overflow issue was discovered in Asterisk Open Source 13 before 13.18.1, 14 before 14.7.1, and 15 before 15.1.1 and Certified Asterisk 13.13 before…

PriorityP349high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EPSS
3.34%
87.1th percentile
A Buffer Overflow issue was discovered in Asterisk Open Source 13 before 13.18.1, 14 before 14.7.1, and 15 before 15.1.1 and Certified Asterisk 13.13 before 13.13-cert7. No size checking is done when setting the user field for Party B on a CDR. Thus, it is possible for someone to use an arbitrarily large string and write past the end of the user field storage buffer. NOTE: this is different from CVE-2017-7617, which was only about the Party A buffer.

Affected

7 ranges
VendorProductVersion rangeFixed in
debianasterisk< asterisk 1:13.18.1~dfsg-1 (bullseye)asterisk 1:13.18.1~dfsg-1 (bullseye)
digiumasterisk>= 0 < 1:13.18.1~dfsg-11:13.18.1~dfsg-1
digiumasterisk>= 0 < 1:13.1.0~dfsg-1.1ubuntu4.1+esm11:13.1.0~dfsg-1.1ubuntu4.1+esm1
digiumasterisk>= 13.0.0 < 13.18.113.18.1
digiumasterisk>= 14.0.0 < 14.7.114.7.1
digiumasterisk>= 15.0.0 < 15.1.115.1.1
digiumcertified_asterisk

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8HIGH
vendor_ubuntu8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.