CVE-2022-37325 — Out-of-bounds Write in Asterisk

CWE-787 — Out-of-bounds Write6 documents5 sources

Severity

7.5HIGHNVD

EPSS

0.7%

top 28.39%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Sangoma Asterisk Debian Asterisk

Timeline

PublishedDec 5

Description

In Sangoma Asterisk through 16.28.0, 17.x and 18.x through 18.14.0, and 19.x through 19.6.0, an incoming Setup message to addons/ooh323c/src/ooq931.c with a malformed Calling or Called Party IE can cause a crash.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶NVDsangoma/asterisk16.0.0 — 16.29.1+3

▶Debiansangoma/asterisk< 1:16.28.0~dfsg-0+deb11u2

▶debiandebian/asterisk< asterisk 1:16.28.0~dfsg-0+deb11u2 (bullseye)

Patches

Patch: downloads.asterisk.org ↗Patch: downloads.asterisk.org ↗

🔴Vulnerability Details

GHSA

GHSA-m52q-h2w3-62w3: In Sangoma Asterisk through 16↗2022-12-05

▶

OSV

CVE-2022-37325: In Sangoma Asterisk through 16↗2022-12-05

▶

📋Vendor Advisories

Debian

CVE-2022-37325: asterisk - In Sangoma Asterisk through 16.28.0, 17.x and 18.x through 18.14.0, and 19.x thr...↗2022

▶

💬Community

Bugzilla

CVE-2022-37325 asterisk: Remote Crash Vulnerability in H323 channel add on [epel-8]↗2022-12-05

▶

Bugzilla

CVE-2022-37325 asterisk: Remote Crash Vulnerability in H323 channel add on [fedora-all]↗2022-12-05

▶