CVE-2017-17850Improper Input Validation in Asterisk

CWE-20Improper Input Validation7 documents5 sources
Severity
7.5HIGHNVD
EPSS
30.0%
top 3.34%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Digium AsteriskDebian AsteriskDigium Certified Asterisk
Timeline
PublishedDec 27
Latest updateMay 14

Description

An issue was discovered in Asterisk 13.18.4 and older, 14.7.4 and older, 15.1.4 and older, and 13.18-cert1 and older. A select set of SIP messages create a dialog in Asterisk. Those SIP messages must contain a contact header. For those messages, if the header was not present and the PJSIP channel driver was used, Asterisk would crash. The severity of this vulnerability is somewhat mitigated if authentication is enabled. If authentication is enabled, a user would have to first be authorized befor

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

debiandebian/asterisk< asterisk 1:13.18.5~dfsg-1 (bullseye)
Debiandigium/asterisk< 1:13.18.5~dfsg-1
NVDdigium/asterisk13.0.013.18.4+2
NVDdigium/certified_asterisk13.1.0, 13.8+1

🔴Vulnerability Details

2
GHSA
GHSA-cx4v-84p4-4vh6: An issue was discovered in Asterisk 132022-05-14
OSV
CVE-2017-17850: An issue was discovered in Asterisk 132017-12-27

📋Vendor Advisories

1
Debian
CVE-2017-17850: asterisk - An issue was discovered in Asterisk 13.18.4 and older, 14.7.4 and older, 15.1.4 ...2017

💬Community

3
Bugzilla
CVE-2017-17850 asterisk: Authenticated remote DOS via SIP contact header in PJSIP driver2017-12-26
Bugzilla
CVE-2017-17850 asterisk: Authenticated remote DOS via SIP contact header in PJSIP driver [fedora-all]2017-12-26
Bugzilla
CVE-2017-17850 asterisk: Authenticated remote DOS via SIP contact header in PJSIP driver [epel-6]2017-12-26
CVE-2017-17850 — Improper Input Validation in Asterisk | cvebase