Digium Asterisk vulnerabilities
114 known vulnerabilities affecting digium/asterisk.
Total CVEs
114
CISA KEV
0
Public exploits
8
Exploited in wild
0
Severity breakdown
CRITICAL5HIGH37MEDIUM67LOW5
Vulnerabilities
Page 4 of 6
CVE-2020-35652P4MEDIUMCVSS 6.5fixed in 13.38.0≥ 14.0, < 16.15.0+2 more2021-01-29
CVE-2020-35652 [MEDIUM] CVE-2020-35652: An issue was discovered in res_pjsip_diversion.c in Sangoma Asterisk before 13.38.0, 14.x through 16
An issue was discovered in res_pjsip_diversion.c in Sangoma Asterisk before 13.38.0, 14.x through 16.x before 16.15.0, 17.x before 17.9.0, and 18.x before 18.1.0. A crash can occur when a SIP message is received with a History-Info header that contains a tel-uri, or when a SIP 181 response is received that contains a tel-uri in the Diversion header.
nvdosv
CVE-2018-12227P4MEDIUMCVSS 5.3≥ 13.0.0, < 13.21.1fixed in 14.7.7+1 more2018-06-12
CVE-2018-12227 [MEDIUM] CWE-200 CVE-2018-12227: An issue was discovered in Asterisk Open Source 13.x before 13.21.1, 14.x before 14.7.7, and 15.x be
An issue was discovered in Asterisk Open Source 13.x before 13.21.1, 14.x before 14.7.7, and 15.x before 15.4.1 and Certified Asterisk 13.18-cert before 13.18-cert4 and 13.21-cert before 13.21-cert2. When endpoint specific ACL rules block a SIP request, they respond with a 403 forbidden. However, if an endpoint is not identified, then a 401 unauthor
nvdosv
CVE-2016-2232P4MEDIUMCVSS 6.5v1.8.0v1.8.1+115 more2016-02-22
CVE-2016-2232 [MEDIUM] CVE-2016-2232: Asterisk Open Source 1.8.x, 11.x before 11.21.1, 12.x, and 13.x before 13.7.1 and Certified Asterisk
Asterisk Open Source 1.8.x, 11.x before 11.21.1, 12.x, and 13.x before 13.7.1 and Certified Asterisk 1.8.28, 11.6 before 11.6-cert12, and 13.1 before 13.1-cert3 allow remote authenticated users to cause a denial of service (uninitialized pointer dereference and crash) via a zero length error correcting redundancy packet for a UDPTL FAX packet that is lost.
nvdosv
CVE-2019-13161P4MEDIUMCVSS 5.3≥ 13.0.0, < 13.27.1≥ 15.0.0, < 15.7.3+1 more2019-07-12
CVE-2019-13161 [MEDIUM] CWE-476 CVE-2019-13161: An issue was discovered in Asterisk Open Source through 13.27.0, 14.x and 15.x through 15.7.2, and 1
An issue was discovered in Asterisk Open Source through 13.27.0, 14.x and 15.x through 15.7.2, and 16.x through 16.4.0, and Certified Asterisk through 13.21-cert3. A pointer dereference in chan_sip while handling SDP negotiation allows an attacker to crash Asterisk when handling an SDP answer to an outgoing T.38 re-invite. To exploit this vulnerabil
nvdosv
CVE-2005-2081P4MEDIUMCVSS 5.0v1.0.72005-07-05
CVE-2005-2081 [MEDIUM] CVE-2005-2081: Stack-based buffer overflow in the function that parses commands in Asterisk 1.0.7, when the 'write
Stack-based buffer overflow in the function that parses commands in Asterisk 1.0.7, when the 'write = command' option is enabled, allows remote attackers to execute arbitrary code via a command that has two double quotes followed by a tab character.
nvdosv
CVE-2016-9938P4MEDIUMCVSS 5.3v11.0.0v11.0.1+81 more2016-12-12
CVE-2016-9938 [MEDIUM] CWE-285 CVE-2016-9938: An issue was discovered in Asterisk Open Source 11.x before 11.25.1, 13.x before 13.13.1, and 14.x b
An issue was discovered in Asterisk Open Source 11.x before 11.25.1, 13.x before 13.13.1, and 14.x before 14.2.1 and Certified Asterisk 11.x before 11.6-cert16 and 13.x before 13.8-cert4. The chan_sip channel driver has a liberal definition for whitespace when attempting to strip the content between a SIP header name and a colon character. Rather than
nvdosv
CVE-2014-9374P4MEDIUMCVSS 5.0v11.0.0v11.1.0+24 more2014-12-12
CVE-2014-9374 [MEDIUM] CVE-2014-9374: Double free vulnerability in the WebSocket Server (res_http_websocket module) in Asterisk Open Sourc
Double free vulnerability in the WebSocket Server (res_http_websocket module) in Asterisk Open Source 11.x before 11.14.2, 12.x before 12.7.2, and 13.x before 13.0.2 and Certified Asterisk 11.6 before 11.6-cert9 allows remote attackers to cause a denial of service (crash) by sending a zero length frame after a non-zero length frame.
nvdosv
CVE-2003-0779P4HIGHCVSS 7.5v0.1.7v0.1.8+5 more2003-09-22
CVE-2003-0779 [HIGH] CVE-2003-0779: SQL injection vulnerability in the Call Detail Record (CDR) logging functionality for Asterisk allow
SQL injection vulnerability in the Call Detail Record (CDR) logging functionality for Asterisk allows remote attackers to execute arbitrary SQL via a CallerID string.
nvdosv
CVE-2016-2316P4MEDIUMCVSS 5.9v1.8.0v1.8.1+115 more2016-02-22
CVE-2016-2316 [MEDIUM] CWE-191 CVE-2016-2316: chan_sip in Asterisk Open Source 1.8.x, 11.x before 11.21.1, 12.x, and 13.x before 13.7.1 and Certif
chan_sip in Asterisk Open Source 1.8.x, 11.x before 11.21.1, 12.x, and 13.x before 13.7.1 and Certified Asterisk 1.8.28, 11.6 before 11.6-cert12, and 13.1 before 13.1-cert3, when the timert1 sip.conf configuration is set to a value greater than 1245, allows remote attackers to cause a denial of service (file descriptor consumption) via vectors related
nvdosv
CVE-2013-5642P4MEDIUMCVSS 5.0v1.8.17.0v1.8.18.0+23 more2013-09-09
CVE-2013-5642 [MEDIUM] CWE-20 CVE-2013-5642: The SIP channel driver (channels/chan_sip.c) in Asterisk Open Source 1.8.x before 1.8.23.1, 10.x bef
The SIP channel driver (channels/chan_sip.c) in Asterisk Open Source 1.8.x before 1.8.23.1, 10.x before 10.12.3, and 11.x before 11.5.1; Certified Asterisk 1.8.15 before 1.8.15-cert3 and 11.2 before 11.2-cert2; and Asterisk Digiumphones 10.x-digiumphones before 10.12.3-digiumphones allows remote attackers to cause a denial of service (NULL pointer dere
nvdosv
CVE-2021-26906P4MEDIUMCVSS 5.9≥ 13.0.0, < 13.38.2≥ 16.0.0, < 16.16.1+2 more2021-02-18
CVE-2021-26906 [MEDIUM] CWE-404 CVE-2021-26906: An issue was discovered in res_pjsip_session.c in Digium Asterisk through 13.38.1; 14.x, 15.x, and 1
An issue was discovered in res_pjsip_session.c in Digium Asterisk through 13.38.1; 14.x, 15.x, and 16.x through 16.16.0; 17.x through 17.9.1; and 18.x through 18.2.0, and Certified Asterisk through 16.8-cert5. An SDP negotiation vulnerability in PJSIP allows a remote server to potentially crash Asterisk by sending specific SIP responses that cause a
nvdosv
CVE-2003-0761P4HIGHCVSS 7.5v1.2.132003-09-17
CVE-2003-0761 [HIGH] CVE-2003-0761: Buffer overflow in the get_msg_text of chan_sip.c in the Session Initiation Protocol (SIP) protocol
Buffer overflow in the get_msg_text of chan_sip.c in the Session Initiation Protocol (SIP) protocol implementation for Asterisk releases before August 15, 2003, allows remote attackers to execute arbitrary code via certain (1) MESSAGE or (2) INFO requests.
nvdosv
CVE-2007-5358P4MEDIUMCVSS 6.8≤ 1.4.122007-10-12
CVE-2007-5358 [MEDIUM] CWE-119 CVE-2007-5358: Multiple buffer overflows in the voicemail functionality in Asterisk 1.4.x before 1.4.13, when using
Multiple buffer overflows in the voicemail functionality in Asterisk 1.4.x before 1.4.13, when using IMAP storage, might allow (1) remote attackers to execute arbitrary code via a long combination of Content-type and Content-description headers, or (2) local users to execute arbitrary code via a long combination of astspooldir, voicemail context, and
nvdosv
CVE-2017-16672P4MEDIUMCVSS 5.9≥ 13.0.0, < 13.18.1≥ 14.0.0, < 14.7.1+1 more2017-11-09
CVE-2017-16672 [MEDIUM] CWE-772 CVE-2017-16672: An issue was discovered in Asterisk Open Source 13 before 13.18.1, 14 before 14.7.1, and 15 before 1
An issue was discovered in Asterisk Open Source 13 before 13.18.1, 14 before 14.7.1, and 15 before 15.1.1 and Certified Asterisk 13.13 before 13.13-cert7. A memory leak occurs when an Asterisk pjsip session object is created and that call gets rejected before the session itself is fully established. When this happens the session object never gets de
nvdosv
CVE-2014-8412P4MEDIUMCVSS 5.0≥ 1.8.0, < 1.8.32.1≥ 11.0.0, < 11.14.1+2 more2014-11-24
CVE-2014-8412 [MEDIUM] CWE-264 CVE-2014-8412: The (1) VoIP channel drivers, (2) DUNDi, and (3) Asterisk Manager Interface (AMI) in Asterisk Open S
The (1) VoIP channel drivers, (2) DUNDi, and (3) Asterisk Manager Interface (AMI) in Asterisk Open Source 1.8.x before 1.8.32.1, 11.x before 11.14.1, 12.x before 12.7.1, and 13.x before 13.0.1 and Certified Asterisk 1.8.28 before 1.8.28-cert3 and 11.6 before 11.6-cert8 allows remote attackers to bypass the ACL restrictions via a packet with a source I
nvdosv
CVE-2014-4047P4MEDIUMCVSS 5.0v1.8.0v1.8.1+82 more2014-06-17
CVE-2014-4047 [MEDIUM] CVE-2014-4047: Asterisk Open Source 1.8.x before 1.8.28.1, 11.x before 11.10.1, and 12.x before 12.3.1 and Certifie
Asterisk Open Source 1.8.x before 1.8.28.1, 11.x before 11.10.1, and 12.x before 12.3.1 and Certified Asterisk 1.8.15 before 1.8.15-cert6 and 11.6 before 11.6-cert3 allows remote attackers to cause a denial of service (connection consumption) via a large number of (1) inactive or (2) incomplete HTTP connections.
nvdosv
CVE-2011-4597P4MEDIUMCVSS 5.0v1.8.0v1.8.1+111 more2011-12-15
CVE-2011-4597 [MEDIUM] CWE-200 CVE-2011-4597: The SIP over UDP implementation in Asterisk Open Source 1.4.x before 1.4.43, 1.6.x before 1.6.2.21,
The SIP over UDP implementation in Asterisk Open Source 1.4.x before 1.4.43, 1.6.x before 1.6.2.21, and 1.8.x before 1.8.7.2 uses different port numbers for responses to invalid requests depending on whether a SIP username exists, which allows remote attackers to enumerate usernames via a series of requests.
nvdosv
CVE-2012-4737P4MEDIUMCVSS 6.0v1.8.0v1.8.1+68 more2012-08-31
CVE-2012-4737 [MEDIUM] CWE-264 CVE-2012-4737: channels/chan_iax2.c in Asterisk Open Source 1.8.x before 1.8.15.1 and 10.x before 10.7.1, Certified
channels/chan_iax2.c in Asterisk Open Source 1.8.x before 1.8.15.1 and 10.x before 10.7.1, Certified Asterisk 1.8.11 before 1.8.11-cert7, Asterisk Digiumphones 10.x.x-digiumphones before 10.7.1-digiumphones, and Asterisk Business Edition C.3.x before C.3.7.6 does not enforce ACL rules during certain uses of peer credentials, which allows remote authen
nvdosv
CVE-2006-5445P4HIGHCVSS 7.8v1.2.0_beta1v1.2.0_beta2+11 more2006-10-23
CVE-2006-5445 [HIGH] CVE-2006-5445: Unspecified vulnerability in the SIP channel driver (channels/chan_sip.c) in Asterisk 1.2.x before 1
Unspecified vulnerability in the SIP channel driver (channels/chan_sip.c) in Asterisk 1.2.x before 1.2.13 and 1.4.x before 1.4.0-beta3 allows remote attackers to cause a denial of service (resource consumption) via unspecified vectors that result in the creation of "a real pvt structure" that uses more resources than necessary.
nvdosv
CVE-2009-3727P4MEDIUMCVSS 5.0v1.2.0v1.2.1+126 more2009-11-10
CVE-2009-3727 [MEDIUM] CWE-200 CVE-2009-3727: Asterisk Open Source 1.2.x before 1.2.35, 1.4.x before 1.4.26.3, 1.6.0.x before 1.6.0.17, and 1.6.1.
Asterisk Open Source 1.2.x before 1.2.35, 1.4.x before 1.4.26.3, 1.6.0.x before 1.6.0.17, and 1.6.1.x before 1.6.1.9; Business Edition A.x.x, B.x.x before B.2.5.12, C.2.x.x before C.2.4.5, and C.3.x.x before C.3.2.2; AsteriskNOW 1.5; and s800i 1.3.x before 1.3.0.5 generate different error messages depending on whether a SIP username is valid, which al
nvdosv