cbcvebase.

Digium Asterisk vulnerabilities

114 known vulnerabilities affecting digium/asterisk.

Total CVEs
114
CISA KEV
0
Public exploits
8
Exploited in wild
0
Severity breakdown
CRITICAL5HIGH37MEDIUM67LOW5

Vulnerabilities

Page 5 of 6
CVE-2010-1224P4MEDIUMCVSS 4.3v1.6.0v1.6.0.1+42 more2010-04-01
CVE-2010-1224 [MEDIUM] CWE-264 CVE-2010-1224: main/acl.c in Asterisk Open Source 1.6.0.x before 1.6.0.25, 1.6.1.x before 1.6.1.17, and 1.6.2.x bef main/acl.c in Asterisk Open Source 1.6.0.x before 1.6.0.25, 1.6.1.x before 1.6.1.17, and 1.6.2.x before 1.6.2.5 does not properly enforce remote host access controls when CIDR notation "/0" is used in permit= and deny= configuration rules, which causes an improper arithmetic shift and might allow remote attackers to bypass ACL rules and access service
nvdosv
CVE-2011-2529P4MEDIUMCVSS 5.0v1.6.0v1.6.0.1+83 more2011-07-06
CVE-2011-2529 [MEDIUM] CWE-119 CVE-2011-2529: chan_sip.c in the SIP channel driver in Asterisk Open Source 1.6.x before 1.6.2.18.1 and 1.8.x befor chan_sip.c in the SIP channel driver in Asterisk Open Source 1.6.x before 1.6.2.18.1 and 1.8.x before 1.8.4.3 does not properly handle '\0' characters in SIP packets, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted packet.
nvdosv
CVE-2013-5641P4MEDIUMCVSS 5.0v1.8.17.0v1.8.18.0+18 more2013-09-09
CVE-2013-5641 [MEDIUM] CWE-119 CVE-2013-5641: The SIP channel driver (channels/chan_sip.c) in Asterisk Open Source 1.8.17.x through 1.8.22.x, 1.8. The SIP channel driver (channels/chan_sip.c) in Asterisk Open Source 1.8.17.x through 1.8.22.x, 1.8.23.x before 1.8.23.1, and 11.x before 11.5.1 and Certified Asterisk 1.8.15 before 1.8.15-cert3 and 11.2 before 11.2-cert2 allows remote attackers to cause a denial of service (NULL pointer dereference, segmentation fault, and daemon crash) via an ACK wi
nvdosv
CVE-2012-5976P4MEDIUMCVSS 5.0≤ 1.8.19.0v1.8.0+76 more2013-01-04
CVE-2012-5976 [MEDIUM] CWE-119 CVE-2012-5976: Multiple stack consumption vulnerabilities in Asterisk Open Source 1.8.x before 1.8.19.1, 10.x befor Multiple stack consumption vulnerabilities in Asterisk Open Source 1.8.x before 1.8.19.1, 10.x before 10.11.1, and 11.x before 11.1.2; Certified Asterisk 1.8.11 before 1.8.11-cert10; and Asterisk Digiumphones 10.x-digiumphones before 10.11.1-digiumphones allow remote attackers to cause a denial of service (daemon crash) via TCP data using the (1) SIP,
nvdosv
CVE-2014-2288P4MEDIUMCVSS 4.3v12.0.0v12.1.02014-04-18
CVE-2014-2288 [MEDIUM] CWE-20 CVE-2014-2288: The PJSIP channel driver in Asterisk Open Source 12.x before 12.1.1, when qualify_frequency "is enab The PJSIP channel driver in Asterisk Open Source 12.x before 12.1.1, when qualify_frequency "is enabled on an AOR and the remote SIP server challenges for authentication of the resulting OPTIONS request," allows remote attackers to cause a denial of service (crash) via a PJSIP endpoint that does not have an associated outgoing request.
nvd
CVE-2011-2536P4MEDIUMCVSS 5.0v1.8.0v1.8.1+110 more2011-07-06
CVE-2011-2536 [MEDIUM] CWE-200 CVE-2011-2536: chan_sip.c in the SIP channel driver in Asterisk Open Source 1.4.x before 1.4.41.2, 1.6.2.x before 1 chan_sip.c in the SIP channel driver in Asterisk Open Source 1.4.x before 1.4.41.2, 1.6.2.x before 1.6.2.18.2, and 1.8.x before 1.8.4.4, and Asterisk Business Edition C.3.x before C.3.7.3, disregards the alwaysauthreject option and generates different responses for invalid SIP requests depending on whether the user account exists, which allows remote
nvdosv
CVE-2011-2535P4MEDIUMCVSS 5.0v1.8.0v1.8.1+107 more2011-07-06
CVE-2011-2535 [MEDIUM] CWE-20 CVE-2011-2535: chan_iax2.c in the IAX2 channel driver in Asterisk Open Source 1.4.x before 1.4.41.1, 1.6.2.x before chan_iax2.c in the IAX2 channel driver in Asterisk Open Source 1.4.x before 1.4.41.1, 1.6.2.x before 1.6.2.18.1, and 1.8.x before 1.8.4.3, and Asterisk Business Edition C.3 before C.3.7.3, accesses a memory address contained in an option control frame, which allows remote attackers to cause a denial of service (daemon crash) or possibly have unspecifie
nvdosv
CVE-2014-8416P4MEDIUMCVSS 5.0≥ 12.0.0, < 12.7.1≥ 13.0.0, < 13.0.12014-11-24
CVE-2014-8416 [MEDIUM] CWE-20 CVE-2014-8416: Use-after-free vulnerability in the PJSIP channel driver in Asterisk Open Source 12.x before 12.7.1 Use-after-free vulnerability in the PJSIP channel driver in Asterisk Open Source 12.x before 12.7.1 and 13.x before 13.0.1, when using the res_pjsip_refer module, allows remote attackers to cause a denial of service (crash) via an in-dialog INVITE with Replaces message, which triggers the channel to be hung up.
nvdosv
CVE-2014-8414P4MEDIUMCVSS 5.0≤ 11.14.02014-11-24
CVE-2014-8414 [MEDIUM] CWE-399 CVE-2014-8414: ConfBridge in Asterisk 11.x before 11.14.1 and Certified Asterisk 11.6 before 11.6-cert8 does not pr ConfBridge in Asterisk 11.x before 11.14.1 and Certified Asterisk 11.6 before 11.6-cert8 does not properly handle state changes, which allows remote attackers to cause a denial of service (channel hang and memory consumption) by causing transitions to be delayed, which triggers a state change from hung up to waiting for media.
nvdosv
CVE-2014-8415P4MEDIUMCVSS 5.0≥ 12.0.0, < 12.7.1≥ 13.0.0, < 13.0.12014-11-24
CVE-2014-8415 [MEDIUM] CWE-20 CVE-2014-8415: Race condition in the chan_pjsip channel driver in Asterisk Open Source 12.x before 12.7.1 and 13.x Race condition in the chan_pjsip channel driver in Asterisk Open Source 12.x before 12.7.1 and 13.x before 13.0.1 allows remote attackers to cause a denial of service (assertion failure and crash) via a cancel request for a SIP session with a queued action to (1) answer a session or (2) send ringing.
nvdosv
CVE-2009-4055P4MEDIUMCVSS 5.0v1.2.0v1.2.1+129 more2009-12-02
CVE-2009-4055 [MEDIUM] CVE-2009-4055: rtp.c in Asterisk Open Source 1.2.x before 1.2.37, 1.4.x before 1.4.27.1, 1.6.0.x before 1.6.0.19, a rtp.c in Asterisk Open Source 1.2.x before 1.2.37, 1.4.x before 1.4.27.1, 1.6.0.x before 1.6.0.19, and 1.6.1.x before 1.6.1.11; Business Edition B.x.x before B.2.5.13, C.2.x.x before C.2.4.6, and C.3.x.x before C.3.2.3; and s800i 1.3.x before 1.3.0.6 allows remote attackers to cause a denial of service (daemon crash) via an RTP comfort noise payload with a lo
nvdosv
CVE-2011-1174P4MEDIUMCVSS 5.0v1.6.1v1.6.1.0+45 more2011-03-31
CVE-2011-1174 [MEDIUM] CWE-399 CVE-2011-1174: manager.c in Asterisk Open Source 1.6.1.x before 1.6.1.24, 1.6.2.x before 1.6.2.17.2, and 1.8.x befo manager.c in Asterisk Open Source 1.6.1.x before 1.6.1.24, 1.6.2.x before 1.6.2.17.2, and 1.8.x before 1.8.3.2 allows remote attackers to cause a denial of service (CPU and memory consumption) via a series of manager sessions involving invalid data.
nvdosv
CVE-2012-1183P4MEDIUMCVSS 4.3≥ 1.4.0, < 1.4.44≥ 1.6.0, < 1.6.2.23+2 more2012-09-18
CVE-2012-1183 [MEDIUM] CWE-119 CVE-2012-1183: Stack-based buffer overflow in the milliwatt_generate function in the Miliwatt application in Asteri Stack-based buffer overflow in the milliwatt_generate function in the Miliwatt application in Asterisk 1.4.x before 1.4.44, 1.6.x before 1.6.2.23, 1.8.x before 1.8.10.1, and 10.x before 10.2.1, when the o option is used and the internal_timing option is off, allows remote attackers to cause a denial of service (application crash) via a large number of
nvdosv
CVE-2011-2216P4MEDIUMCVSS 5.0v1.8.0v1.8.1+13 more2011-06-06
CVE-2011-2216 [MEDIUM] CVE-2011-2216: reqresp_parser.c in the SIP channel driver in Asterisk Open Source 1.8.x before 1.8.4.2 does not ini reqresp_parser.c in the SIP channel driver in Asterisk Open Source 1.8.x before 1.8.4.2 does not initialize certain strings, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a malformed Contact header.
nvdosv
CVE-2011-2665P4MEDIUMCVSS 5.0v1.8.0v1.8.1+14 more2011-07-06
CVE-2011-2665 [MEDIUM] CVE-2011-2665: reqresp_parser.c in the SIP channel driver in Asterisk Open Source 1.8.x before 1.8.4.3 allows remot reqresp_parser.c in the SIP channel driver in Asterisk Open Source 1.8.x before 1.8.4.3 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a SIP packet with a Contact header that lacks a < (less than) character.
nvdosv
CVE-2011-1507P4MEDIUMCVSS 5.0v1.4.0v1.4.1+121 more2011-04-27
CVE-2011-1507 [MEDIUM] CWE-399 CVE-2011-1507: Asterisk Open Source 1.4.x before 1.4.40.1, 1.6.1.x before 1.6.1.25, 1.6.2.x before 1.6.2.17.3, and Asterisk Open Source 1.4.x before 1.4.40.1, 1.6.1.x before 1.6.1.25, 1.6.2.x before 1.6.2.17.3, and 1.8.x before 1.8.3.3 and Asterisk Business Edition C.x.x before C.3.6.4 do not restrict the number of unauthenticated sessions to certain interfaces, which allows remote attackers to cause a denial of service (file descriptor exhaustion and disk space ex
nvdosv
CVE-2011-1175P4MEDIUMCVSS 5.0v1.6.1v1.6.1.0+42 more2011-03-31
CVE-2011-1175 [MEDIUM] CVE-2011-1175: tcptls.c in the TCP/TLS server in Asterisk Open Source 1.6.1.x before 1.6.1.23, 1.6.2.x before 1.6.2 tcptls.c in the TCP/TLS server in Asterisk Open Source 1.6.1.x before 1.6.1.23, 1.6.2.x before 1.6.2.17.1, and 1.8.x before 1.8.3.1 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) by establishing many short TCP sessions to services that use a certain TLS API.
nvdosv
CVE-2011-2666P4MEDIUMCVSS 5.0v1.6.2.0v1.6.2.1+86 more2011-07-06
CVE-2011-2666 [MEDIUM] CVE-2011-2666: The default configuration of the SIP channel driver in Asterisk Open Source 1.4.x through 1.4.41.2 a The default configuration of the SIP channel driver in Asterisk Open Source 1.4.x through 1.4.41.2 and 1.6.2.x through 1.6.2.18.2 does not enable the alwaysauthreject option, which allows remote attackers to enumerate account names by making a series of invalid SIP requests and observing the differences in the responses for different usernames, a different vu
nvdosv
CVE-2014-4045P4MEDIUMCVSS 4.3v12.0.0v12.1.0+3 more2014-06-17
CVE-2014-4045 [MEDIUM] CWE-189 CVE-2014-4045: The Publish/Subscribe Framework in the PJSIP channel driver in Asterisk Open Source 12.x before 12.3 The Publish/Subscribe Framework in the PJSIP channel driver in Asterisk Open Source 12.x before 12.3.1, when sub_min_expiry is set to zero, allows remote attackers to cause a denial of service (assertion failure and crash) via an unsubscribe request when not subscribed to the device.
nvd
CVE-2012-5977P4MEDIUMCVSS 4.3≤ 1.8.19.0v1.8.0+76 more2013-01-04
CVE-2012-5977 [MEDIUM] CWE-119 CVE-2012-5977: Asterisk Open Source 1.8.x before 1.8.19.1, 10.x before 10.11.1, and 11.x before 11.1.2; Certified A Asterisk Open Source 1.8.x before 1.8.19.1, 10.x before 10.11.1, and 11.x before 11.1.2; Certified Asterisk 1.8.11 before 1.8.11-cert10; and Asterisk Digiumphones 10.x-digiumphones before 10.11.1-digiumphones, when anonymous calls are enabled, allow remote attackers to cause a denial of service (resource consumption) by making anonymous calls from mul
nvdosv
Digium Asterisk vulnerabilities | cvebase