cbcvebase.

Debian Asterisk vulnerabilities

185 known vulnerabilities affecting debian/asterisk.

Total CVEs
185
CISA KEV
0
Public exploits
18
Exploited in wild
0
Severity breakdown
CRITICAL17HIGH46MEDIUM93LOW27

Vulnerabilities

Page 7 of 10
CVE-2013-5642P4MEDIUMCVSS 5.0fixed in asterisk 1:11.5.1~dfsg-1 (bullseye)2013
CVE-2013-5642 [MEDIUM] CVE-2013-5642: asterisk - The SIP channel driver (channels/chan_sip.c) in Asterisk Open Source 1.8.x befor... The SIP channel driver (channels/chan_sip.c) in Asterisk Open Source 1.8.x before 1.8.23.1, 10.x before 10.12.3, and 11.x before 11.5.1; Certified Asterisk 1.8.15 before 1.8.15-cert3 and 11.2 before 11.2-cert2; and Asterisk Digiumphones 10.x-digiumphones before 10.12.3-digiumphones allows remote attackers to cause a denial of service (NULL pointer dereference, segm
debian
CVE-2021-26906P4MEDIUMCVSS 5.9fixed in asterisk 1:16.16.1~dfsg-1 (bullseye)2021
CVE-2021-26906 [MEDIUM] CVE-2021-26906: asterisk - An issue was discovered in res_pjsip_session.c in Digium Asterisk through 13.38.... An issue was discovered in res_pjsip_session.c in Digium Asterisk through 13.38.1; 14.x, 15.x, and 16.x through 16.16.0; 17.x through 17.9.1; and 18.x through 18.2.0, and Certified Asterisk through 16.8-cert5. An SDP negotiation vulnerability in PJSIP allows a remote server to potentially crash Asterisk by sending specific SIP responses that cause an SDP negotiat
debian
CVE-2003-0761P4HIGHCVSS 7.5fixed in asterisk 0.5.0 (bullseye)2003
CVE-2003-0761 [HIGH] CVE-2003-0761: asterisk - Buffer overflow in the get_msg_text of chan_sip.c in the Session Initiation Prot... Buffer overflow in the get_msg_text of chan_sip.c in the Session Initiation Protocol (SIP) protocol implementation for Asterisk releases before August 15, 2003, allows remote attackers to execute arbitrary code via certain (1) MESSAGE or (2) INFO requests. Scope: local bullseye: resolved (fixed in 0.5.0) sid: resolved (fixed in 0.5.0)
debian
CVE-2007-5358P4MEDIUMCVSS 6.8fixed in asterisk 1:1.4.13~dfsg-1 (bullseye)2007
CVE-2007-5358 [MEDIUM] CVE-2007-5358: asterisk - Multiple buffer overflows in the voicemail functionality in Asterisk 1.4.x befor... Multiple buffer overflows in the voicemail functionality in Asterisk 1.4.x before 1.4.13, when using IMAP storage, might allow (1) remote attackers to execute arbitrary code via a long combination of Content-type and Content-description headers, or (2) local users to execute arbitrary code via a long combination of astspooldir, voicemail context, and voicemail mail
debian
CVE-2017-16672P4MEDIUMCVSS 5.9fixed in asterisk 1:13.18.1~dfsg-1 (bullseye)2017
CVE-2017-16672 [MEDIUM] CVE-2017-16672: asterisk - An issue was discovered in Asterisk Open Source 13 before 13.18.1, 14 before 14.... An issue was discovered in Asterisk Open Source 13 before 13.18.1, 14 before 14.7.1, and 15 before 15.1.1 and Certified Asterisk 13.13 before 13.13-cert7. A memory leak occurs when an Asterisk pjsip session object is created and that call gets rejected before the session itself is fully established. When this happens the session object never gets destroyed. Event
debian
CVE-2009-2346P4HIGHCVSS 7.8fixed in asterisk 1:1.6.2.0~dfsg~beta3-1 (bullseye)2009
CVE-2009-2346 [HIGH] CVE-2009-2346: asterisk - The IAX2 protocol implementation in Asterisk Open Source 1.2.x before 1.2.35, 1.... The IAX2 protocol implementation in Asterisk Open Source 1.2.x before 1.2.35, 1.4.x before 1.4.26.2, 1.6.0.x before 1.6.0.15, and 1.6.1.x before 1.6.1.6; Business Edition B.x.x before B.2.5.10, C.2.x before C.2.4.3, and C.3.x before C.3.1.1; and s800i 1.3.x before 1.3.0.3 allows remote attackers to cause a denial of service (call-number exhaustion) by initiating many
debian
CVE-2007-2297P4MEDIUMCVSS 7.8fixed in asterisk 1:1.4.2~dfsg-1 (bullseye)2007
CVE-2007-2297 [HIGH] CVE-2007-2297: asterisk - The SIP channel driver (chan_sip) in Asterisk before 1.2.18 and 1.4.x before 1.4... The SIP channel driver (chan_sip) in Asterisk before 1.2.18 and 1.4.x before 1.4.3 does not properly parse SIP UDP packets that do not contain a valid response code, which allows remote attackers to cause a denial of service (crash). Scope: local bullseye: resolved (fixed in 1:1.4.2~dfsg-1) sid: resolved (fixed in 1:1.4.2~dfsg-1)
debian
CVE-2014-8412P4MEDIUMCVSS 5.0fixed in asterisk 1:13.1.0~dfsg-1 (bullseye)2014
CVE-2014-8412 [MEDIUM] CVE-2014-8412: asterisk - The (1) VoIP channel drivers, (2) DUNDi, and (3) Asterisk Manager Interface (AMI... The (1) VoIP channel drivers, (2) DUNDi, and (3) Asterisk Manager Interface (AMI) in Asterisk Open Source 1.8.x before 1.8.32.1, 11.x before 11.14.1, 12.x before 12.7.1, and 13.x before 13.0.1 and Certified Asterisk 1.8.28 before 1.8.28-cert3 and 11.6 before 11.6-cert8 allows remote attackers to bypass the ACL restrictions via a packet with a source IP that does no
debian
CVE-2014-4047P4LOWCVSS 5.0fixed in asterisk 1:11.10.2~dfsg-1 (bullseye)2014
CVE-2014-4047 [MEDIUM] CVE-2014-4047: asterisk - Asterisk Open Source 1.8.x before 1.8.28.1, 11.x before 11.10.1, and 12.x before... Asterisk Open Source 1.8.x before 1.8.28.1, 11.x before 11.10.1, and 12.x before 12.3.1 and Certified Asterisk 1.8.15 before 1.8.15-cert6 and 11.6 before 11.6-cert3 allows remote attackers to cause a denial of service (connection consumption) via a large number of (1) inactive or (2) incomplete HTTP connections. Scope: local bullseye: resolved (fixed in 1:11.10.2~d
debian
CVE-2021-32686P4MEDIUMCVSS 5.9fixed in asterisk 1:16.16.1~dfsg-1+deb11u1 (bullseye)2021
CVE-2021-32686 [MEDIUM] CVE-2021-32686: asterisk - PJSIP is a free and open source multimedia communication library written in C la... PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In PJSIP before version 2.11.1, there are a couple of issues found in the SSL socket. First, a race condition between callback and destroy, due to the accepted socket having no group lock. Second,
debian
CVE-2011-4597P4MEDIUMCVSS 5.0fixed in asterisk 1:1.8.8.0~dfsg-1 (bullseye)2011
CVE-2011-4597 [MEDIUM] CVE-2011-4597: asterisk - The SIP over UDP implementation in Asterisk Open Source 1.4.x before 1.4.43, 1.6... The SIP over UDP implementation in Asterisk Open Source 1.4.x before 1.4.43, 1.6.x before 1.6.2.21, and 1.8.x before 1.8.7.2 uses different port numbers for responses to invalid requests depending on whether a SIP username exists, which allows remote attackers to enumerate usernames via a series of requests. Scope: local bullseye: resolved (fixed in 1:1.8.8.0~dfsg-
debian
CVE-2026-23738P4LOWCVSS 3.5fixed in asterisk 1:16.28.0~dfsg-0+deb11u9 (bullseye)2026
CVE-2026-23738 [LOW] CVE-2026-23738: asterisk - Asterisk is an open source private branch exchange and telephony toolkit. Prior ... Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, user supplied/control values for Cookies and any GET variable query Parameter are directly interpolated into the HTML of the page using ast_str_append. The endpoint at GET /httpstatus is the potential vulnerable endpoint relat
debian
CVE-2024-42491P4MEDIUMCVSS 5.7fixed in asterisk 1:16.28.0~dfsg-0+deb11u5 (bullseye)2024
CVE-2024-42491 [MEDIUM] CVE-2024-42491: asterisk - Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.2... Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.24.3, 20.9.3, and 21.4.3 of Asterisk and versions 18.9-cert12 and 20.7-cert2 of certified-asterisk, if Asterisk attempts to send a SIP request to a URI whose host portion starts with `.1` or `[.1]`, and res_resolver_unbound is loaded, Asterisk will crash with a SEGV. To receive a patch
debian
CVE-2012-2415P4MEDIUMCVSS 6.5fixed in asterisk 1:1.8.11.1~dfsg-1 (bullseye)2012
CVE-2012-2415 [MEDIUM] CVE-2012-2415: asterisk - Heap-based buffer overflow in chan_skinny.c in the Skinny channel driver in Aste... Heap-based buffer overflow in chan_skinny.c in the Skinny channel driver in Asterisk Open Source 1.6.2.x before 1.6.2.24, 1.8.x before 1.8.11.1, and 10.x before 10.3.1 allows remote authenticated users to cause a denial of service or possibly have unspecified other impact via a series of KEYPAD_BUTTON_MESSAGE events. Scope: local bullseye: resolved (fixed in 1:1.8.
debian
CVE-2007-6430P4LOWCVSS 4.3fixed in asterisk 1:1.4.16.2~dfsg-1 (bullseye)2007
CVE-2007-6430 [MEDIUM] CVE-2007-6430: asterisk - Asterisk Open Source 1.2.x before 1.2.26 and 1.4.x before 1.4.16, and Business E... Asterisk Open Source 1.2.x before 1.2.26 and 1.4.x before 1.4.16, and Business Edition B.x.x before B.2.3.6 and C.x.x before C.1.0-beta8, when using database-based registrations ("realtime") and host-based authentication, does not check the IP address when the username is correct and there is no password, which allows remote attackers to bypass authentication using
debian
CVE-2012-4737P4MEDIUMCVSS 6.0fixed in asterisk 1:1.8.13.1~dfsg-1 (bullseye)2012
CVE-2012-4737 [MEDIUM] CVE-2012-4737: asterisk - channels/chan_iax2.c in Asterisk Open Source 1.8.x before 1.8.15.1 and 10.x befo... channels/chan_iax2.c in Asterisk Open Source 1.8.x before 1.8.15.1 and 10.x before 10.7.1, Certified Asterisk 1.8.11 before 1.8.11-cert7, Asterisk Digiumphones 10.x.x-digiumphones before 10.7.1-digiumphones, and Asterisk Business Edition C.3.x before C.3.7.6 does not enforce ACL rules during certain uses of peer credentials, which allows remote authenticated users
debian
CVE-2020-28327P4MEDIUMCVSS 5.3fixed in asterisk 1:16.15.0~dfsg-1 (bullseye)2020
CVE-2020-28327 [MEDIUM] CVE-2020-28327: asterisk - A res_pjsip_session crash was discovered in Asterisk Open Source 13.x before 13.... A res_pjsip_session crash was discovered in Asterisk Open Source 13.x before 13.37.1, 16.x before 16.14.1, 17.x before 17.8.1, and 18.x before 18.0.1. and Certified Asterisk before 16.8-cert5. Upon receiving a new SIP Invite, Asterisk did not return the created dialog locked or referenced. This caused a gap between the creation of the dialog object, and its next
debian
CVE-2024-53566P4MEDIUMCVSS 5.5fixed in asterisk 1:16.28.0~dfsg-0+deb11u6 (bullseye)2024
CVE-2024-53566 [MEDIUM] CVE-2024-53566: asterisk - An issue in the action_listcategories() function of Sangoma Asterisk v22/22.0.0/... An issue in the action_listcategories() function of Sangoma Asterisk v22/22.0.0/22.0.0-rc1/22.0.0-rc2/22.0.0-pre1 allows attackers to execute a path traversal. Scope: local bullseye: resolved (fixed in 1:16.28.0~dfsg-0+deb11u6) sid: resolved (fixed in 1:22.1.1~dfsg+~cs6.14.60671435-1)
debian
CVE-2006-5445P4MEDIUMCVSS 7.8fixed in asterisk 1:1.2.13~dfsg-1 (bullseye)2006
CVE-2006-5445 [HIGH] CVE-2006-5445: asterisk - Unspecified vulnerability in the SIP channel driver (channels/chan_sip.c) in Ast... Unspecified vulnerability in the SIP channel driver (channels/chan_sip.c) in Asterisk 1.2.x before 1.2.13 and 1.4.x before 1.4.0-beta3 allows remote attackers to cause a denial of service (resource consumption) via unspecified vectors that result in the creation of "a real pvt structure" that uses more resources than necessary. Scope: local bullseye: resolved (fixed
debian
CVE-2009-3727P4MEDIUMCVSS 5.0fixed in asterisk 1:1.6.2.0~rc6-1 (bullseye)2009
CVE-2009-3727 [MEDIUM] CVE-2009-3727: asterisk - Asterisk Open Source 1.2.x before 1.2.35, 1.4.x before 1.4.26.3, 1.6.0.x before ... Asterisk Open Source 1.2.x before 1.2.35, 1.4.x before 1.4.26.3, 1.6.0.x before 1.6.0.17, and 1.6.1.x before 1.6.1.9; Business Edition A.x.x, B.x.x before B.2.5.12, C.2.x.x before C.2.4.5, and C.3.x.x before C.3.2.2; AsteriskNOW 1.5; and s800i 1.3.x before 1.3.0.5 generate different error messages depending on whether a SIP username is valid, which allows remote at
debian
Debian Asterisk vulnerabilities | cvebase