CVE-2021-32558 — Injection in Asterisk

CWE-74 — Injection4 documents4 sources

Severity

7.5HIGHNVD

EPSS

2.9%

top 13.71%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Digium Asterisk Debian Asterisk Debian Linux +1 more

Timeline

PublishedJul 30

Latest updateMay 24

Description

An issue was discovered in Sangoma Asterisk 13.x before 13.38.3, 16.x before 16.19.1, 17.x before 17.9.4, and 18.x before 18.5.1, and Certified Asterisk before 16.8-cert10. If the IAX2 channel driver receives a packet that contains an unsupported media format, a crash can occur.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶NVDdigium/certified_asterisk16.8

▶NVDdigium/asterisk13.0.0 — 13.38.3+3

▶debiandebian/asterisk< asterisk 1:16.16.1~dfsg-1+deb11u1 (bullseye)

▶Debiandigium/asterisk< 1:16.16.1~dfsg-1+deb11u1

Also affects: Debian Linux 11.0, 9.0

Patches

Patch: packetstormsecurity.com ↗Patch: seclists.org ↗Patch: downloads.asterisk.org ↗

🔴Vulnerability Details

GHSA

GHSA-xhjf-mf8w-q63p: An issue was discovered in Sangoma Asterisk 13↗2022-05-24

▶

OSV

CVE-2021-32558: An issue was discovered in Sangoma Asterisk 13↗2021-07-30

▶

📋Vendor Advisories

Debian

CVE-2021-32558: asterisk - An issue was discovered in Sangoma Asterisk 13.x before 13.38.3, 16.x before 16....↗2021

▶