cbcvebase.

Debian Asterisk vulnerabilities

185 known vulnerabilities affecting debian/asterisk.

Total CVEs
185
CISA KEV
0
Public exploits
18
Exploited in wild
0
Severity breakdown
CRITICAL17HIGH46MEDIUM93LOW27

Vulnerabilities

Page 4 of 10
CVE-2026-23740P3UNKNOWNCVSS 7.8fixed in asterisk 1:16.28.0~dfsg-0+deb11u9 (bullseye)2026
CVE-2026-23740 [NONE] CVE-2026-23740: asterisk - Asterisk is an open source private branch exchange and telephony toolkit. Prior ... Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, when ast_coredumper writes its gdb init and output files to a directory that is world-writable (for example /tmp), an attacker with write permission(which is all users on a linux system) to that directory can cause root to ex
debian
CVE-2021-43302P3CRITICALCVSS 9.1fixed in asterisk 1:16.28.0~dfsg-0+deb11u1 (bullseye)2021
CVE-2021-43302 [CRITICAL] CVE-2021-43302: asterisk - Read out-of-bounds in PJSUA API when calling pjsua_recorder_create. An attacker-... Read out-of-bounds in PJSUA API when calling pjsua_recorder_create. An attacker-controlled 'filename' argument may cause an out-of-bounds read when the filename is shorter than 4 characters. Scope: local bullseye: resolved (fixed in 1:16.28.0~dfsg-0+deb11u1) sid: resolved (fixed in 1:18.11.1~dfsg+~cs6.10.40431413-1)
debian
CVE-2023-27585P3HIGHCVSS 7.5fixed in asterisk 1:16.28.0~dfsg-0+deb11u3 (bullseye)2023
CVE-2023-27585 [HIGH] CVE-2023-27585: asterisk - PJSIP is a free and open source multimedia communication library written in C. A... PJSIP is a free and open source multimedia communication library written in C. A buffer overflow vulnerability in versions 2.13 and prior affects applications that use PJSIP DNS resolver. It doesn't affect PJSIP users who do not utilise PJSIP DNS resolver. This vulnerability is related to CVE-2022-24793. The difference is that this issue is in parsing the query rec
debian
CVE-2022-24793P3HIGHCVSS 7.5fixed in asterisk 1:16.28.0~dfsg-0+deb11u1 (bullseye)2022
CVE-2022-24793 [HIGH] CVE-2022-24793: asterisk - PJSIP is a free and open source multimedia communication library written in C. A... PJSIP is a free and open source multimedia communication library written in C. A buffer overflow vulnerability in versions 2.12 and prior affects applications that use PJSIP DNS resolution. It doesn't affect PJSIP users who utilize an external resolver. This vulnerability is related to CVE-2023-27585. The difference is that this issue is in parsing the query record
debian
CVE-2023-37457P3HIGHCVSS 7.5fixed in asterisk 1:16.28.0~dfsg-0+deb11u4 (bullseye)2023
CVE-2023-37457 [HIGH] CVE-2023-37457: asterisk - Asterisk is an open source private branch exchange and telephony toolkit. In Ast... Asterisk is an open source private branch exchange and telephony toolkit. In Asterisk versions 18.20.0 and prior, 20.5.0 and prior, and 21.0.0; as well as ceritifed-asterisk 18.9-cert5 and prior, the 'update' functionality of the PJSIP_HEADER dialplan function can exceed the available buffer space for storing the new value of a header. By doing so this can overwrit
debian
CVE-2025-47780P3MEDIUMCVSS 4.8fixed in asterisk 1:16.28.0~dfsg-0+deb11u7 (bullseye)2025
CVE-2025-47780 [MEDIUM] CVE-2025-47780: asterisk - Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.2... Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk, trying to disallow shell commands to be run via the Asterisk command line interface (CLI) by configuring `cli_permissions.conf` (e.g. with the config line `deny=!*`) does not wo
debian
CVE-2014-4046P3LOWCVSS 6.5fixed in asterisk 1:11.10.2~dfsg-1 (bullseye)2014
CVE-2014-4046 [MEDIUM] CVE-2014-4046: asterisk - Asterisk Open Source 11.x before 11.10.1 and 12.x before 12.3.1 and Certified As... Asterisk Open Source 11.x before 11.10.1 and 12.x before 12.3.1 and Certified Asterisk 11.6 before 11.6-cert3 allows remote authenticated Manager users to execute arbitrary shell commands via a MixMonitor action. Scope: local bullseye: resolved (fixed in 1:11.10.2~dfsg-1) sid: resolved (fixed in 1:11.10.2~dfsg-1)
debian
CVE-2022-24764P3HIGHCVSS 7.5fixed in asterisk 1:16.28.0~dfsg-0+deb11u1 (bullseye)2022
CVE-2022-24764 [HIGH] CVE-2022-24764: asterisk - PJSIP is a free and open source multimedia communication library written in C. V... PJSIP is a free and open source multimedia communication library written in C. Versions 2.12 and prior contain a stack buffer overflow vulnerability that affects PJSUA2 users or users that call the API `pjmedia_sdp_print(), pjmedia_sdp_media_print()`. Applications that do not use PJSUA2 and do not directly call `pjmedia_sdp_print()` or `pjmedia_sdp_media_print()` s
debian
CVE-2025-57767P3LOWCVSS 7.5fixed in asterisk 1:22.5.2~dfsg+~cs6.15.60671435-1 (sid)2025
CVE-2025-57767 [HIGH] CVE-2025-57767: asterisk - Asterisk is an open source private branch exchange and telephony toolkit. Prior ... Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.15.2, 21.10.2, and 22.5.2, if a SIP request is received with an Authorization header that contains a realm that wasn't in a previous 401 response's WWW-Authenticate header, or an Authorization header with an incorrect realm was received without a previous 401 response bei
debian
CVE-2008-1332P3MEDIUMCVSS 8.8fixed in asterisk 1:1.4.18.1~dfsg-1 (bullseye)2008
CVE-2008-1332 [HIGH] CVE-2008-1332: asterisk - Unspecified vulnerability in Asterisk Open Source 1.2.x before 1.2.27, 1.4.x bef... Unspecified vulnerability in Asterisk Open Source 1.2.x before 1.2.27, 1.4.x before 1.4.18.1 and 1.4.19-rc3; Business Edition A.x.x, B.x.x before B.2.5.1, and C.x.x before C.1.6.2; AsteriskNOW 1.0.x before 1.0.2; Appliance Developer Kit before 1.4 revision 109393; and s800i 1.0.x before 1.1.0.2; allows remote attackers to access the SIP channel driver via a crafted F
debian
CVE-2007-6171P3MEDIUMCVSS 7.5fixed in asterisk 1:1.4.15~dfsg-1 (bullseye)2007
CVE-2007-6171 [HIGH] CVE-2007-6171: asterisk - SQL injection vulnerability in the Postgres Realtime Engine (res_config_pgsql) i... SQL injection vulnerability in the Postgres Realtime Engine (res_config_pgsql) in Asterisk 1.4.x before 1.4.15 and C.x before C.1.0-beta6 allows remote attackers to execute arbitrary SQL commands via unknown vectors. Scope: local bullseye: resolved (fixed in 1:1.4.15~dfsg-1) sid: resolved (fixed in 1:1.4.15~dfsg-1)
debian
CVE-2014-8413P3HIGHCVSS 7.5fixed in asterisk 1:13.1.0~dfsg-1 (bullseye)2014
CVE-2014-8413 [HIGH] CVE-2014-8413: asterisk - The res_pjsip_acl module in Asterisk Open Source 12.x before 12.7.1 and 13.x bef... The res_pjsip_acl module in Asterisk Open Source 12.x before 12.7.1 and 13.x before 13.0.1 does not properly create and load ACLs defined in pjsip.conf at startup, which allows remote attackers to bypass intended PJSIP ACL rules. Scope: local bullseye: resolved (fixed in 1:13.1.0~dfsg-1) sid: resolved (fixed in 1:13.1.0~dfsg-1)
debian
CVE-2022-24792P3HIGHCVSS 7.5fixed in asterisk 1:16.28.0~dfsg-0+deb11u1 (bullseye)2022
CVE-2022-24792 [HIGH] CVE-2022-24792: asterisk - PJSIP is a free and open source multimedia communication library written in C. A... PJSIP is a free and open source multimedia communication library written in C. A denial-of-service vulnerability affects applications on a 32-bit systems that use PJSIP versions 2.12 and prior to play/read invalid WAV files. The vulnerability occurs when reading WAV file data chunks with length greater than 31-bit integers. The vulnerability does not affect 64-bit
debian
CVE-2019-18976P3HIGHCVSS 7.5fixed in asterisk 1:16.1.1~dfsg-1 (bullseye)2019
CVE-2019-18976 [HIGH] CVE-2019-18976: asterisk - An issue was discovered in res_pjsip_t38.c in Sangoma Asterisk through 13.x and ... An issue was discovered in res_pjsip_t38.c in Sangoma Asterisk through 13.x and Certified Asterisk through 13.21-x. If it receives a re-invite initiating T.38 faxing and has a port of 0 and no c line in the SDP, a NULL pointer dereference and crash will occur. This is different from CVE-2019-18940. Scope: local bullseye: resolved (fixed in 1:16.1.1~dfsg-1) sid: res
debian
CVE-2012-2414P3MEDIUMCVSS 6.5fixed in asterisk 1:1.8.11.1~dfsg-1 (bullseye)2012
CVE-2012-2414 [MEDIUM] CVE-2012-2414: asterisk - main/manager.c in the Manager Interface in Asterisk Open Source 1.6.2.x before 1... main/manager.c in the Manager Interface in Asterisk Open Source 1.6.2.x before 1.6.2.24, 1.8.x before 1.8.11.1, and 10.x before 10.3.1 and Asterisk Business Edition C.3.x before C.3.7.4 does not properly enforce System class authorization requirements, which allows remote authenticated users to execute arbitrary commands via (1) the originate action in the MixMonit
debian
CVE-2016-7551P3HIGHCVSS 7.5fixed in asterisk 1:13.11.2~dfsg-1 (bullseye)2016
CVE-2016-7551 [HIGH] CVE-2016-7551: asterisk - chain_sip in Asterisk Open Source 11.x before 11.23.1 and 13.x 13.11.1 and Certi... chain_sip in Asterisk Open Source 11.x before 11.23.1 and 13.x 13.11.1 and Certified Asterisk 11.6 before 11.6-cert15 and 13.8 before 13.8-cert3 allows remote attackers to cause a denial of service (port exhaustion). Scope: local bullseye: resolved (fixed in 1:13.11.2~dfsg-1) sid: resolved (fixed in 1:13.11.2~dfsg-1)
debian
CVE-2008-1390P3LOWCVSS 9.3fixed in asterisk 1:1.4.19.1~dfsg-1 (bullseye)2008
CVE-2008-1390 [CRITICAL] CVE-2008-1390: asterisk - The AsteriskGUI HTTP server in Asterisk Open Source 1.4.x before 1.4.19-rc3 and ... The AsteriskGUI HTTP server in Asterisk Open Source 1.4.x before 1.4.19-rc3 and 1.6.x before 1.6.0-beta6, Business Edition C.x.x before C.1.6, AsteriskNOW before 1.0.2, Appliance Developer Kit before revision 104704, and s800i 1.0.x before 1.1.0.2 generates insufficiently random manager ID values, which makes it easier for remote attackers to hijack a manager ses
debian
CVE-2021-26717P3HIGHCVSS 7.5fixed in asterisk 1:16.16.1~dfsg-1 (bullseye)2021
CVE-2021-26717 [HIGH] CVE-2021-26717: asterisk - An issue was discovered in Sangoma Asterisk 16.x before 16.16.1, 17.x before 17.... An issue was discovered in Sangoma Asterisk 16.x before 16.16.1, 17.x before 17.9.2, and 18.x before 18.2.1 and Certified Asterisk before 16.8-cert6. When re-negotiating for T.38, if the initial remote response was delayed just enough, Asterisk would send both audio and T.38 in the SDP. If this happened, and the remote responded with a declined T.38 stream, then As
debian
CVE-2022-24763P3HIGHCVSS 7.5fixed in asterisk 1:16.28.0~dfsg-0+deb11u1 (bullseye)2022
CVE-2022-24763 [HIGH] CVE-2022-24763: asterisk - PJSIP is a free and open source multimedia communication library written in the ... PJSIP is a free and open source multimedia communication library written in the C language. Versions 2.12 and prior contain a denial-of-service vulnerability that affects PJSIP users that consume PJSIP's XML parsing in their apps. Users are advised to update. There are no known workarounds. Scope: local bullseye: resolved (fixed in 1:16.28.0~dfsg-0+deb11u1) sid: re
debian
CVE-2014-8417P3MEDIUMCVSS 6.5fixed in asterisk 1:13.1.0~dfsg-1 (bullseye)2014
CVE-2014-8417 [MEDIUM] CVE-2014-8417: asterisk - ConfBridge in Asterisk 11.x before 11.14.1, 12.x before 12.7.1, and 13.x before ... ConfBridge in Asterisk 11.x before 11.14.1, 12.x before 12.7.1, and 13.x before 13.0.1 and Certified Asterisk 11.6 before 11.6-cert8 allows remote authenticated users to (1) gain privileges via vectors related to an external protocol to the CONFBRIDGE dialplan function or (2) execute arbitrary system commands via a crafted ConfbridgeStartRecord AMI action. Scope: l
debian
Debian Asterisk vulnerabilities | cvebase