cbcvebase.
CVE-2022-26498
published 2022-04-15

CVE-2022-26498: An issue was discovered in Asterisk through 19.x. When using STIR/SHAKEN, it is possible to download files that are not certificates. These files could be much…

PriorityP349high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
15.55%
96.4th percentile
An issue was discovered in Asterisk through 19.x. When using STIR/SHAKEN, it is possible to download files that are not certificates. These files could be much larger than what one would expect to download, leading to Resource Exhaustion. This is fixed in 16.25.2, 18.11.2, and 19.3.2.

Affected

7 ranges
VendorProductVersion rangeFixed in
debianasterisk< asterisk 1:16.28.0~dfsg-0+deb11u1 (bullseye)asterisk 1:16.28.0~dfsg-0+deb11u1 (bullseye)
debiandebian_linux
debiandebian_linux
digiumasterisk>= 0 < 1:16.28.0~dfsg-0+deb11u11:16.28.0~dfsg-0+deb11u1
digiumasterisk16.15.0 – 16.25.1
digiumasterisk>= 18.0 < 18.11.218.11.2
digiumasterisk19.0.0 – 19.3.1

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv7.5HIGH
vendor_debian7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.