CVE-2008-3903

2008-09-0419:41:00

CWE-200

mitre

web.nvd.nist.gov

cve-2008-3903

asterisk open source

authentication

sip

remote attack

vulnerability

information security

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:S/C:P/I:N/A:N

AI Score

6.5

Confidence

Low

EPSS

0.006

Percentile

79.8%

JSON

Asterisk Open Source 1.2.x before 1.2.32, 1.4.x before 1.4.24.1, and 1.6.0.x before 1.6.0.8; Asterisk Business Edition A.x.x, B.x.x before B.2.5.8, C.1.x.x before C.1.10.5, and C.2.x.x before C.2.3.3; s800i 1.3.x before 1.3.0.2; and Trixbox PBX 2.6.1, when Digest authentication and authalwaysreject are enabled, generates different responses depending on whether a SIP username is valid, which allows remote attackers to enumerate valid usernames.

Affected configurations

Nvd

Node

asteriskp_b_xMatch1.2

asteriskp_b_xMatch1.2.22

asteriskp_b_xMatch1.4.21.1

asteriskp_b_xMatch1.6

trixboxpbxMatch2.6.1

VendorProductVersionCPE
asteriskp_b_x1.2cpe:2.3:a:asterisk:p_b_x:1.2:*:*:*:*:*:*:*
asteriskp_b_x1.2.22cpe:2.3:a:asterisk:p_b_x:1.2.22:*:*:*:*:*:*:*
asteriskp_b_x1.4.21.1cpe:2.3:a:asterisk:p_b_x:1.4.21.1:*:*:*:*:*:*:*
asteriskp_b_x1.6cpe:2.3:a:asterisk:p_b_x:1.6:*:*:*:*:*:*:*
trixboxpbx2.6.1cpe:2.3:a:trixbox:pbx:2.6.1:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
asterisk	p_b_x	1.2	cpe:2.3:a:asterisk:p_b_x:1.2:::::::*
asterisk	p_b_x	1.2.22	cpe:2.3:a:asterisk:p_b_x:1.2.22:::::::*
asterisk	p_b_x	1.4.21.1	cpe:2.3:a:asterisk:p_b_x:1.4.21.1:::::::*
asterisk	p_b_x	1.6	cpe:2.3:a:asterisk:p_b_x:1.6:::::::*
trixbox	pbx	2.6.1	cpe:2.3:a:trixbox:pbx:2.6.1:::::::*