Vulnerabilities > Asterisk > Open Source

DATE CVE VULNERABILITY TITLE RISK
2020-11-06 CVE-2020-28327 Improper Resource Shutdown or Release vulnerability in multiple products
A res_pjsip_session crash was discovered in Asterisk Open Source 13.x before 13.37.1, 16.x before 16.14.1, 17.x before 17.8.1, and 18.x before 18.0.1.
network
high complexity
asterisk digium CWE-404
2.1
2.1
2020-11-06 CVE-2020-28242 Uncontrolled Recursion vulnerability in multiple products
An issue was discovered in Asterisk Open Source 13.x before 13.37.1, 16.x before 16.14.1, 17.x before 17.8.1, and 18.x before 18.0.1 and Certified Asterisk before 16.8-cert5.
network
low complexity
asterisk fedoraproject debian CWE-674
6.5
6.5
2019-10-29 CVE-2009-3723 Incorrect Authorization vulnerability in multiple products
asterisk allows calls on prohibited networks
network
low complexity
asterisk debian CWE-863
5.0
5.0
2018-06-12 CVE-2018-12228 Infinite Loop vulnerability in Asterisk Open Source
An issue was discovered in Asterisk Open Source 15.x before 15.4.1.
network
low complexity
asterisk CWE-835
6.8
6.8
2017-06-02 CVE-2017-9358 Infinite Loop vulnerability in Asterisk Certified Asterisk and Open Source
A memory exhaustion vulnerability exists in Asterisk Open Source 13.x before 13.15.1 and 14.x before 14.4.1 and Certified Asterisk 13.13 before 13.13-cert4, which can be triggered by sending specially crafted SCCP packets causing an infinite loop and leading to memory exhaustion (by message logging in that loop).
network
low complexity
asterisk CWE-835
5.0
5.0
2013-04-01 CVE-2013-2686 Buffer Errors vulnerability in Asterisk Certified Asterisk, Digiumphones and Open Source
main/http.c in the HTTP server in Asterisk Open Source 1.8.x before 1.8.20.2, 10.x before 10.12.2, and 11.x before 11.2.2; Certified Asterisk 1.8.15 before 1.8.15-cert2; and Asterisk Digiumphones 10.x-digiumphones before 10.12.2-digiumphones does not properly restrict Content-Length values, which allows remote attackers to conduct stack-consumption attacks and cause a denial of service (daemon crash) via a crafted HTTP POST request.
network
low complexity
asterisk CWE-119
5.0
5.0
2013-04-01 CVE-2013-2685 Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Asterisk Open Source
Stack-based buffer overflow in res/res_format_attr_h264.c in Asterisk Open Source 11.x before 11.2.2 allows remote attackers to execute arbitrary code via a long sprop-parameter-sets H.264 media attribute in a SIP Session Description Protocol (SDP) header.
network
low complexity
asterisk CWE-119
7.5
7.5
2013-04-01 CVE-2013-2264 Information Exposure vulnerability in Asterisk products
The SIP channel driver in Asterisk Open Source 1.8.x before 1.8.20.2, 10.x before 10.12.2, and 11.x before 11.2.2; Certified Asterisk 1.8.15 before 1.8.15-cert2; Asterisk Business Edition (BE) C.3.x before C.3.8.1; and Asterisk Digiumphones 10.x-digiumphones before 10.12.2-digiumphones exhibits different behavior for invalid INVITE, SUBSCRIBE, and REGISTER transactions depending on whether the user account exists, which allows remote attackers to enumerate account names by (1) reading HTTP status codes, (2) reading additional text in a 403 (aka Forbidden) response, or (3) observing whether certain retransmissions occur.
network
low complexity
asterisk CWE-200
5.0
5.0
2012-08-31 CVE-2012-2186 Unspecified vulnerability in Asterisk products
Incomplete blacklist vulnerability in main/manager.c in Asterisk Open Source 1.8.x before 1.8.15.1 and 10.x before 10.7.1, Certified Asterisk 1.8.11 before 1.8.11-cert6, Asterisk Digiumphones 10.x.x-digiumphones before 10.7.1-digiumphones, and Asterisk Business Edition C.3.x before C.3.7.6 allows remote authenticated users to execute arbitrary commands by leveraging originate privileges and providing an ExternalIVR value in an AMI Originate action.
network
low complexity
asterisk
critical
 9.0
9.0
2012-06-02 CVE-2012-2948 Resource Management Errors vulnerability in Asterisk Certified Asterisk and Open Source
chan_skinny.c in the Skinny (aka SCCP) channel driver in Certified Asterisk 1.8.11-cert before 1.8.11-cert2 and Asterisk Open Source 1.8.x before 1.8.12.1 and 10.x before 10.4.1 allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) by closing a connection in off-hook mode.
network
low complexity
asterisk CWE-399
4.0
4.0