cbcvebase.

Debian Asterisk vulnerabilities

185 known vulnerabilities affecting debian/asterisk.

Total CVEs
185
CISA KEV
0
Public exploits
18
Exploited in wild
0
Severity breakdown
CRITICAL17HIGH46MEDIUM93LOW27

Vulnerabilities

Page 9 of 10
CVE-2011-2216P4MEDIUMCVSS 5.0fixed in asterisk 1:1.8.4.2-1 (bullseye)2011
CVE-2011-2216 [MEDIUM] CVE-2011-2216: asterisk - reqresp_parser.c in the SIP channel driver in Asterisk Open Source 1.8.x before ... reqresp_parser.c in the SIP channel driver in Asterisk Open Source 1.8.x before 1.8.4.2 does not initialize certain strings, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a malformed Contact header. Scope: local bullseye: resolved (fixed in 1:1.8.4.2-1) sid: resolved (fixed in 1:1.8.4.2-1)
debian
CVE-2011-2665P4MEDIUMCVSS 5.0fixed in asterisk 1:1.8.4.3-1 (bullseye)2011
CVE-2011-2665 [MEDIUM] CVE-2011-2665: asterisk - reqresp_parser.c in the SIP channel driver in Asterisk Open Source 1.8.x before ... reqresp_parser.c in the SIP channel driver in Asterisk Open Source 1.8.x before 1.8.4.3 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a SIP packet with a Contact header that lacks a < (less than) character. Scope: local bullseye: resolved (fixed in 1:1.8.4.3-1) sid: resolved (fixed in 1:1.8.4.3-1)
debian
CVE-2011-1507P4MEDIUMCVSS 5.0fixed in asterisk 1:1.8.3.3-1 (bullseye)2011
CVE-2011-1507 [MEDIUM] CVE-2011-1507: asterisk - Asterisk Open Source 1.4.x before 1.4.40.1, 1.6.1.x before 1.6.1.25, 1.6.2.x bef... Asterisk Open Source 1.4.x before 1.4.40.1, 1.6.1.x before 1.6.1.25, 1.6.2.x before 1.6.2.17.3, and 1.8.x before 1.8.3.3 and Asterisk Business Edition C.x.x before C.3.6.4 do not restrict the number of unauthenticated sessions to certain interfaces, which allows remote attackers to cause a denial of service (file descriptor exhaustion and disk space exhaustion) via
debian
CVE-2011-1175P4MEDIUMCVSS 5.0fixed in asterisk 1:1.8.3.3-1 (bullseye)2011
CVE-2011-1175 [MEDIUM] CVE-2011-1175: asterisk - tcptls.c in the TCP/TLS server in Asterisk Open Source 1.6.1.x before 1.6.1.23, ... tcptls.c in the TCP/TLS server in Asterisk Open Source 1.6.1.x before 1.6.1.23, 1.6.2.x before 1.6.2.17.1, and 1.8.x before 1.8.3.1 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) by establishing many short TCP sessions to services that use a certain TLS API. Scope: local bullseye: resolved (fixed in 1:1.8.3.3-1) sid
debian
CVE-2011-2666P4MEDIUMCVSS 5.0fixed in asterisk 1:1.8.3.3-1 (bullseye)2011
CVE-2011-2666 [MEDIUM] CVE-2011-2666: asterisk - The default configuration of the SIP channel driver in Asterisk Open Source 1.4.... The default configuration of the SIP channel driver in Asterisk Open Source 1.4.x through 1.4.41.2 and 1.6.2.x through 1.6.2.18.2 does not enable the alwaysauthreject option, which allows remote attackers to enumerate account names by making a series of invalid SIP requests and observing the differences in the responses for different usernames, a different vulnerab
debian
CVE-2012-5977P4MEDIUMCVSS 4.3fixed in asterisk 1:1.8.13.1~dfsg-2 (bullseye)2012
CVE-2012-5977 [MEDIUM] CVE-2012-5977: asterisk - Asterisk Open Source 1.8.x before 1.8.19.1, 10.x before 10.11.1, and 11.x before... Asterisk Open Source 1.8.x before 1.8.19.1, 10.x before 10.11.1, and 11.x before 11.1.2; Certified Asterisk 1.8.11 before 1.8.11-cert10; and Asterisk Digiumphones 10.x-digiumphones before 10.11.1-digiumphones, when anonymous calls are enabled, allow remote attackers to cause a denial of service (resource consumption) by making anonymous calls from multiple sources
debian
CVE-2008-3903P4LOWCVSS 3.5fixed in asterisk 1:1.6.1.0~dfsg-1 (bullseye)2008
CVE-2008-3903 [LOW] CVE-2008-3903: asterisk - Asterisk Open Source 1.2.x before 1.2.32, 1.4.x before 1.4.24.1, and 1.6.0.x bef... Asterisk Open Source 1.2.x before 1.2.32, 1.4.x before 1.4.24.1, and 1.6.0.x before 1.6.0.8; Asterisk Business Edition A.x.x, B.x.x before B.2.5.8, C.1.x.x before C.1.10.5, and C.2.x.x before C.2.3.3; s800i 1.3.x before 1.3.0.2; and Trixbox PBX 2.6.1, when Digest authentication and authalwaysreject are enabled, generates different responses depending on whether a SIP
debian
CVE-2010-0685P4MEDIUMCVSS 5.0fixed in asterisk 1:1.6.2.6-1 (bullseye)2010
CVE-2010-0685 [MEDIUM] CVE-2010-0685: asterisk - The design of the dialplan functionality in Asterisk Open Source 1.2.x, 1.4.x, a... The design of the dialplan functionality in Asterisk Open Source 1.2.x, 1.4.x, and 1.6.x; and Asterisk Business Edition B.x.x and C.x.x, when using the ${EXTEN} channel variable and wildcard pattern matches, allows context-dependent attackers to inject strings into the dialplan using metacharacters that are injected when the variable is expanded, as demonstrated us
debian
CVE-2007-2383P4LOWCVSS 5.0fixed in asterisk 1:1.6.2.0~rc3-1 (bullseye)2007
CVE-2007-2383 [MEDIUM] CVE-2007-2383: asterisk - The Prototype (prototypejs) framework before 1.5.1 RC3 exchanges data using Java... The Prototype (prototypejs) framework before 1.5.1 RC3 exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka "JavaScript Hijack
debian
CVE-2007-4455P4MEDIUMCVSS 5.0fixed in asterisk 1:1.4.11~dfsg-1 (bullseye)2007
CVE-2007-4455 [MEDIUM] CVE-2007-4455: asterisk - The SIP channel driver (chan_sip) in Asterisk Open Source 1.4.x before 1.4.11, A... The SIP channel driver (chan_sip) in Asterisk Open Source 1.4.x before 1.4.11, AsteriskNOW before beta7, Asterisk Appliance Developer Kit 0.x before 0.8.0, and s800i (Asterisk Appliance) 1.x before 1.0.3 allows remote attackers to cause a denial of service (memory exhaustion) via a SIP dialog that causes a large number of history entries to be created. Scope: local
debian
CVE-2009-2651P4LOWCVSS 5.0fixed in asterisk 1:1.6.2.0~dfsg~rc1-1 (bullseye)2009
CVE-2009-2651 [MEDIUM] CVE-2009-2651: asterisk - main/rtp.c in Asterisk Open Source 1.6.1 before 1.6.1.2 allows remote attackers ... main/rtp.c in Asterisk Open Source 1.6.1 before 1.6.1.2 allows remote attackers to cause a denial of service (crash) via an RTP text frame without a certain delimiter, which triggers a NULL pointer dereference and the subsequent calculation of an invalid pointer. Scope: local bullseye: resolved (fixed in 1:1.6.2.0~dfsg~rc1-1) sid: resolved (fixed in 1:1.6.2.0~dfsg~
debian
CVE-2007-3765P4MEDIUMCVSS 5.0fixed in asterisk 1:1.4.8~dfsg-1 (bullseye)2007
CVE-2007-3765 [MEDIUM] CVE-2007-3765: asterisk - The STUN implementation in Asterisk 1.4.x before 1.4.8, AsteriskNOW before beta7... The STUN implementation in Asterisk 1.4.x before 1.4.8, AsteriskNOW before beta7, Appliance Developer Kit before 0.5.0, and s800i before 1.0.2 allows remote attackers to cause a denial of service (crash) via a crafted STUN length attribute in a STUN packet sent on an RTP port. Scope: local bullseye: resolved (fixed in 1:1.4.8~dfsg-1) sid: resolved (fixed in 1:1.4.8
debian
CVE-2012-3812P4MEDIUMCVSS 4.0fixed in asterisk 1:1.8.13.1~dfsg-1 (bullseye)2012
CVE-2012-3812 [MEDIUM] CVE-2012-3812: asterisk - Double free vulnerability in apps/app_voicemail.c in Asterisk Open Source 1.8.x ... Double free vulnerability in apps/app_voicemail.c in Asterisk Open Source 1.8.x before 1.8.13.1 and 10.x before 10.5.2, Certified Asterisk 1.8.11-certx before 1.8.11-cert4, and Asterisk Digiumphones 10.x.x-digiumphones before 10.5.2-digiumphones allows remote authenticated users to cause a denial of service (daemon crash) by establishing multiple voicemail sessions
debian
CVE-2012-3863P4MEDIUMCVSS 4.0fixed in asterisk 1:1.8.13.1~dfsg-1 (bullseye)2012
CVE-2012-3863 [MEDIUM] CVE-2012-3863: asterisk - channels/chan_sip.c in Asterisk Open Source 1.8.x before 1.8.13.1 and 10.x befor... channels/chan_sip.c in Asterisk Open Source 1.8.x before 1.8.13.1 and 10.x before 10.5.2, Asterisk Business Edition C.3.x before C.3.7.5, Certified Asterisk 1.8.11-certx before 1.8.11-cert4, and Asterisk Digiumphones 10.x.x-digiumphones before 10.5.2-digiumphones does not properly handle a provisional response to a SIP reINVITE request, which allows remote authenti
debian
CVE-2011-4598P4MEDIUMCVSS 4.3fixed in asterisk 1:1.8.8.0~dfsg-1 (bullseye)2011
CVE-2011-4598 [MEDIUM] CVE-2011-4598: asterisk - The handle_request_info function in channels/chan_sip.c in Asterisk Open Source ... The handle_request_info function in channels/chan_sip.c in Asterisk Open Source 1.6.2.x before 1.6.2.21 and 1.8.x before 1.8.7.2, when automon is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted sequence of SIP requests. Scope: local bullseye: resolved (fixed in 1:1.8.8.0~dfsg-1) sid: resolved (
debian
CVE-2008-1897P4MEDIUMCVSS 4.3fixed in asterisk 1:1.4.19.1~dfsg-1 (bullseye)2008
CVE-2008-1897 [MEDIUM] CVE-2008-1897: asterisk - The IAX2 channel driver (chan_iax2) in Asterisk Open Source 1.0.x, 1.2.x before ... The IAX2 channel driver (chan_iax2) in Asterisk Open Source 1.0.x, 1.2.x before 1.2.28, and 1.4.x before 1.4.19.1; Business Edition A.x.x, B.x.x before B.2.5.2, and C.x.x before C.1.8.1; AsteriskNOW before 1.0.3; Appliance Developer Kit 0.x.x; and s800i before 1.1.0.3, when configured to allow unauthenticated calls, does not verify that an ACK response contains a c
debian
CVE-2008-5558P4MEDIUMCVSS 4.3fixed in asterisk 1:1.4.0~dfsg-1 (bullseye)2008
CVE-2008-5558 [MEDIUM] CVE-2008-5558: asterisk - Asterisk Open Source 1.2.26 through 1.2.30.3 and Business Edition B.2.3.5 throug... Asterisk Open Source 1.2.26 through 1.2.30.3 and Business Edition B.2.3.5 through B.2.5.5, when realtime IAX2 users are enabled, allows remote attackers to cause a denial of service (crash) via authentication attempts involving (1) an unknown user or (2) a user using hostname matching. Scope: local bullseye: resolved (fixed in 1:1.4.0~dfsg-1) sid: resolved (fixed i
debian
CVE-2015-1558P4LOWCVSS 3.5fixed in asterisk 1:13.1.0~dfsg-1.1 (bullseye)2015
CVE-2015-1558 [LOW] CVE-2015-1558: asterisk - Asterisk Open Source 12.x before 12.8.1 and 13.x before 13.1.1, when using the P... Asterisk Open Source 12.x before 12.8.1 and 13.x before 13.1.1, when using the PJSIP channel driver, does not properly reclaim RTP ports, which allows remote authenticated users to cause a denial of service (file descriptor consumption) via an SDP offer containing only incompatible codecs. Scope: local bullseye: resolved (fixed in 1:13.1.0~dfsg-1.1) sid: resolved (fix
debian
CVE-2012-0885P4MEDIUMCVSS 4.3fixed in asterisk 1:1.8.8.2~dfsg-1 (bullseye)2012
CVE-2012-0885 [MEDIUM] CVE-2012-0885: asterisk - chan_sip.c in Asterisk Open Source 1.8.x before 1.8.8.2 and 10.x before 10.0.1, ... chan_sip.c in Asterisk Open Source 1.8.x before 1.8.8.2 and 10.x before 10.0.1, when the res_srtp module is used and media support is improperly configured, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted SDP message with a crypto attribute and a (1) video or (2) text media type, as demonstrated by CSip
debian
CVE-2014-6610P4MEDIUMCVSS 4.0fixed in asterisk 1:11.12.1~dfsg-1 (bullseye)2014
CVE-2014-6610 [MEDIUM] CVE-2014-6610: asterisk - Asterisk Open Source 11.x before 11.12.1 and 12.x before 12.5.1 and Certified As... Asterisk Open Source 11.x before 11.12.1 and 12.x before 12.5.1 and Certified Asterisk 11.6 before 11.6-cert6, when using the res_fax_spandsp module, allows remote authenticated users to cause a denial of service (crash) via an out of call message, which is not properly handled in the ReceiveFax dialplan application. Scope: local bullseye: resolved (fixed in 1:11.1
debian
Debian Asterisk vulnerabilities | cvebase