cbcvebase.

Digium Asterisk vulnerabilities

114 known vulnerabilities affecting digium/asterisk.

Total CVEs
114
CISA KEV
0
Public exploits
8
Exploited in wild
0
Severity breakdown
CRITICAL5HIGH37MEDIUM67LOW5

Vulnerabilities

Page 6 of 6
CVE-2010-0685P4MEDIUMCVSS 5.0v1.2.0v1.2.1+95 more2010-02-23
CVE-2010-0685 [MEDIUM] CVE-2010-0685: The design of the dialplan functionality in Asterisk Open Source 1.2.x, 1.4.x, and 1.6.x; and Asteri The design of the dialplan functionality in Asterisk Open Source 1.2.x, 1.4.x, and 1.6.x; and Asterisk Business Edition B.x.x and C.x.x, when using the ${EXTEN} channel variable and wildcard pattern matches, allows context-dependent attackers to inject strings into the dialplan using metacharacters that are injected when the variable is expanded, as demonstra
nvdosv
CVE-2014-4048P4MEDIUMCVSS 4.3≤ 12.3.0v12.0.0+4 more2014-06-17
CVE-2014-4048 [MEDIUM] CVE-2014-4048: The PJSIP Channel Driver in Asterisk Open Source before 12.3.1 allows remote attackers to cause a de The PJSIP Channel Driver in Asterisk Open Source before 12.3.1 allows remote attackers to cause a denial of service (deadlock) by terminating a subscription request before it is complete, which triggers a SIP transaction timeout.
nvd
CVE-2009-2651P4MEDIUMCVSS 5.0v1.6.12009-07-30
CVE-2009-2651 [MEDIUM] CWE-399 CVE-2009-2651: main/rtp.c in Asterisk Open Source 1.6.1 before 1.6.1.2 allows remote attackers to cause a denial of main/rtp.c in Asterisk Open Source 1.6.1 before 1.6.1.2 allows remote attackers to cause a denial of service (crash) via an RTP text frame without a certain delimiter, which triggers a NULL pointer dereference and the subsequent calculation of an invalid pointer.
nvdosv
CVE-2012-3812P4MEDIUMCVSS 4.0v1.8.0v1.8.1+45 more2012-07-09
CVE-2012-3812 [MEDIUM] CWE-399 CVE-2012-3812: Double free vulnerability in apps/app_voicemail.c in Asterisk Open Source 1.8.x before 1.8.13.1 and Double free vulnerability in apps/app_voicemail.c in Asterisk Open Source 1.8.x before 1.8.13.1 and 10.x before 10.5.2, Certified Asterisk 1.8.11-certx before 1.8.11-cert4, and Asterisk Digiumphones 10.x.x-digiumphones before 10.5.2-digiumphones allows remote authenticated users to cause a denial of service (daemon crash) by establishing multiple voice
nvdosv
CVE-2012-3863P4MEDIUMCVSS 4.0v1.8.0v1.8.1+45 more2012-07-09
CVE-2012-3863 [MEDIUM] CWE-399 CVE-2012-3863: channels/chan_sip.c in Asterisk Open Source 1.8.x before 1.8.13.1 and 10.x before 10.5.2, Asterisk B channels/chan_sip.c in Asterisk Open Source 1.8.x before 1.8.13.1 and 10.x before 10.5.2, Asterisk Business Edition C.3.x before C.3.7.5, Certified Asterisk 1.8.11-certx before 1.8.11-cert4, and Asterisk Digiumphones 10.x.x-digiumphones before 10.5.2-digiumphones does not properly handle a provisional response to a SIP reINVITE request, which allows r
nvdosv
CVE-2011-4598P4MEDIUMCVSS 4.3v1.8.0v1.8.1+40 more2011-12-15
CVE-2011-4598 [MEDIUM] CWE-200 CVE-2011-4598: The handle_request_info function in channels/chan_sip.c in Asterisk Open Source 1.6.2.x before 1.6.2 The handle_request_info function in channels/chan_sip.c in Asterisk Open Source 1.6.2.x before 1.6.2.21 and 1.8.x before 1.8.7.2, when automon is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted sequence of SIP requests.
nvdosv
CVE-2014-6609P4MEDIUMCVSS 4.0v12.0.0v12.1.0+4 more2014-11-26
CVE-2014-6609 [MEDIUM] CWE-20 CVE-2014-6609: The res_pjsip_pubsub module in Asterisk Open Source 12.x before 12.5.1 allows remote authenticated u The res_pjsip_pubsub module in Asterisk Open Source 12.x before 12.5.1 allows remote authenticated users to cause a denial of service (crash) via crafted headers in a SIP SUBSCRIBE request for an event package.
nvd
CVE-2015-1558P4LOWCVSS 3.5v12.0.0v12.1.0+14 more2015-02-09
CVE-2015-1558 [LOW] CWE-399 CVE-2015-1558: Asterisk Open Source 12.x before 12.8.1 and 13.x before 13.1.1, when using the PJSIP channel driver, Asterisk Open Source 12.x before 12.8.1 and 13.x before 13.1.1, when using the PJSIP channel driver, does not properly reclaim RTP ports, which allows remote authenticated users to cause a denial of service (file descriptor consumption) via an SDP offer containing only incompatible codecs.
nvdosv
CVE-2014-6610P4MEDIUMCVSS 4.0v11.0.0v11.1.0+17 more2014-11-26
CVE-2014-6610 [MEDIUM] CWE-19 CVE-2014-6610: Asterisk Open Source 11.x before 11.12.1 and 12.x before 12.5.1 and Certified Asterisk 11.6 before 1 Asterisk Open Source 11.x before 11.12.1 and 12.x before 12.5.1 and Certified Asterisk 11.6 before 11.6-cert6, when using the res_fax_spandsp module, allows remote authenticated users to cause a denial of service (crash) via an out of call message, which is not properly handled in the ReceiveFax dialplan application.
nvdosv
CVE-2014-2287P4LOWCVSS 3.5v1.8.0v1.8.1+61 more2014-04-18
CVE-2014-2287 [LOW] CWE-20 CVE-2014-2287: channels/chan_sip.c in Asterisk Open Source 1.8.x before 1.8.26.1, 11.8.x before 11.8.1, and 12.1.x channels/chan_sip.c in Asterisk Open Source 1.8.x before 1.8.26.1, 11.8.x before 11.8.1, and 12.1.x before 12.1.1, and Certified Asterisk 1.8.15 before 1.8.15-cert5 and 11.6 before 11.6-cert2, when chan_sip has a certain configuration, allows remote authenticated users to cause a denial of service (channel and file descriptor consumption) via an INVITE req
nvdosv
CVE-2012-3553P4MEDIUMCVSS 4.0v10.0.0v10.0.1+12 more2012-06-19
CVE-2012-3553 [MEDIUM] CVE-2012-3553: chan_skinny.c in the Skinny (aka SCCP) channel driver in Asterisk Open Source 10.x before 10.5.1 all chan_skinny.c in the Skinny (aka SCCP) channel driver in Asterisk Open Source 10.x before 10.5.1 allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) by sending a Station Key Pad Button message and closing a connection in off-hook mode, a related issue to CVE-2012-2948.
nvd
CVE-2014-2289P4LOWCVSS 3.5v12.0.0v12.1.02014-04-18
CVE-2014-2289 [LOW] CWE-20 CVE-2014-2289: res/res_pjsip_exten_state.c in the PJSIP channel driver in Asterisk Open Source 12.x before 12.1.0 a res/res_pjsip_exten_state.c in the PJSIP channel driver in Asterisk Open Source 12.x before 12.1.0 allows remote authenticated users to cause a denial of service (crash) via a SUBSCRIBE request without any Accept headers, which triggers an invalid pointer dereference.
nvd
CVE-2012-2947P4LOWCVSS 2.6v1.8.0v1.8.1+45 more2012-06-02
CVE-2012-2947 [LOW] CWE-284 CVE-2012-2947: chan_iax2.c in the IAX2 channel driver in Certified Asterisk 1.8.11-cert before 1.8.11-cert2 and Ast chan_iax2.c in the IAX2 channel driver in Certified Asterisk 1.8.11-cert before 1.8.11-cert2 and Asterisk Open Source 1.8.x before 1.8.12.1 and 10.x before 10.4.1, when a certain mohinterpret setting is enabled, allows remote attackers to cause a denial of service (daemon crash) by placing a call on hold.
nvdosv
CVE-2009-0871P4LOWCVSS 3.5v1.4.22v1.4.23+9 more2009-03-11
CVE-2009-0871 [LOW] CWE-20 CVE-2009-0871: The SIP channel driver in Asterisk Open Source 1.4.22, 1.4.23, and 1.4.23.1; 1.6.0 before 1.6.0.6; 1 The SIP channel driver in Asterisk Open Source 1.4.22, 1.4.23, and 1.4.23.1; 1.6.0 before 1.6.0.6; 1.6.1 before 1.6.1.0-rc2; and Asterisk Business Edition C.2.3, with the pedantic option enabled, allows remote authenticated users to cause a denial of service (crash) via a SIP INVITE request without any headers, which triggers a NULL pointer dereference in
nvd