CVE-2022-26498 — Uncontrolled Resource Consumption in Asterisk

CWE-400 — Uncontrolled Resource Consumption7 documents6 sources

Severity

7.5HIGHNVD

EPSS

0.4%

top 38.35%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Digium Asterisk Debian Asterisk Debian Linux

Timeline

PublishedApr 15

Latest updateApr 18

Description

An issue was discovered in Asterisk through 19.x. When using STIR/SHAKEN, it is possible to download files that are not certificates. These files could be much larger than what one would expect to download, leading to Resource Exhaustion. This is fixed in 16.25.2, 18.11.2, and 19.3.2.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶NVDdigium/asterisk18.0 — 18.11.2+2

▶debiandebian/asterisk< asterisk 1:16.28.0~dfsg-0+deb11u1 (bullseye)

▶Debiandigium/asterisk< 1:16.28.0~dfsg-0+deb11u1

Also affects: Debian Linux 10.0, 11.0

Patches

Patch: packetstormsecurity.com ↗Patch: downloads.asterisk.org ↗Patch: packetstormsecurity.com ↗

🔴Vulnerability Details

GHSA

GHSA-x4hp-q863-hc8m: An issue was discovered in Asterisk through 19↗2022-04-16

▶

OSV

CVE-2022-26498: An issue was discovered in Asterisk through 19↗2022-04-15

▶

📋Vendor Advisories

Debian

CVE-2022-26498: asterisk - An issue was discovered in Asterisk through 19.x. When using STIR/SHAKEN, it is ...↗2022

▶

💬Community

Bugzilla

CVE-2022-26498 CVE-2022-26499 CVE-2022-26651 asterisk: multiple vulnerabilities [epel-all]↗2022-04-18

▶

Bugzilla

CVE-2022-26498 CVE-2022-26499 CVE-2022-26651 asterisk: multiple vulnerabilities [fedora-all]↗2022-04-18

▶