CVE-2023-37457Classic Buffer Overflow in Asterisk

CWE-120Classic Buffer Overflow5 documents4 sources
Severity
8.2HIGHNVD
EPSS
0.1%
top 77.83%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
AsteriskDebian AsteriskDigium Asterisk+1 more
Timeline
PublishedDec 14

Description

Asterisk is an open source private branch exchange and telephony toolkit. In Asterisk versions 18.20.0 and prior, 20.5.0 and prior, and 21.0.0; as well as ceritifed-asterisk 18.9-cert5 and prior, the 'update' functionality of the PJSIP_HEADER dialplan function can exceed the available buffer space for storing the new value of a header. By doing so this can overwrite memory or cause a crash. This is not externally exploitable, unless dialplan is explicitly written to update a header based on data

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:HExploitability: 3.9 | Impact: 4.2

Affected Packages5 packages

debiandebian/asterisk< asterisk 1:16.28.0~dfsg-0+deb11u4 (bullseye)
Debianasterisk/asterisk< 1:16.28.0~dfsg-0+deb11u4
NVDdigium/asterisk19.0.020.5.0+2
CVEListV5asterisk/asterisk18.20.0+2
NVDsangoma/certified_asterisk13.13.0, 16.8.0, 18.9+2

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

1
OSV
CVE-2023-37457: Asterisk is an open source private branch exchange and telephony toolkit2023-12-14

📋Vendor Advisories

1
Debian
CVE-2023-37457: asterisk - Asterisk is an open source private branch exchange and telephony toolkit. In Ast...2023

💬Community

2
Bugzilla
TRIAGE CVE-2023-37457 asterisk: potential buffer overflow in PJSIP_HEADER dialplan function [fedora-all]2023-12-14
Bugzilla
TRIAGE CVE-2023-37457 asterisk: potential buffer overflow in PJSIP_HEADER dialplan function [epel-all]2023-12-14