CVE-2018-17281Uncontrolled Resource Consumption in Asterisk

CWE-400Uncontrolled Resource Consumption7 documents5 sources
Severity
7.5HIGHNVD
EPSS
80.3%
top 0.88%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Digium AsteriskDebian AsteriskDebian Linux+1 more
Timeline
PublishedSep 24
Latest updateMay 13

Description

There is a stack consumption vulnerability in the res_http_websocket.so module of Asterisk through 13.23.0, 14.7.x through 14.7.7, and 15.x through 15.6.0 and Certified Asterisk through 13.21-cert2. It allows an attacker to crash Asterisk via a specially crafted HTTP request to upgrade the connection to a websocket.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

NVDdigium/certified_asterisk5 versions+4
debiandebian/asterisk< asterisk 1:13.23.1~dfsg-1 (bullseye)
Debiandigium/asterisk< 1:13.23.1~dfsg-1
NVDdigium/asterisk13.0.013.23.0+2

Also affects: Debian Linux 8.0, 9.0

Patches

Patch: downloads.asterisk.orgPatch: seclists.orgPatch: seclists.org

🔴Vulnerability Details

2
GHSA
GHSA-64m8-fx32-3864: There is a stack consumption vulnerability in the res_http_websocket2022-05-13
OSV
CVE-2018-17281: There is a stack consumption vulnerability in the res_http_websocket2018-09-24

📋Vendor Advisories

1
Debian
CVE-2018-17281: asterisk - There is a stack consumption vulnerability in the res_http_websocket.so module o...2018

💬Community

3
Bugzilla
CVE-2018-17281 asterisk: Remote crash vulnerability in HTTP websocket upgrade [fedora-all]2018-09-24
Bugzilla
CVE-2018-17281 asterisk: Remote crash vulnerability in HTTP websocket upgrade2018-09-24
Bugzilla
CVE-2018-17281 asterisk: Remote crash vulnerability in HTTP websocket upgrade [epel-6]2018-09-24
CVE-2018-17281 — Uncontrolled Resource Consumption | cvebase