CVE-2022-42705

2022-12-0521:15:10

CWE-416

mitre

web.nvd.nist.gov

cve-2022-42705

use-after-free

res_pjsip_pubsub.c

sangoma asterisk

denial of service

nvd

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

AI Score

6.5

Confidence

High

EPSS

0.004

Percentile

74.4%

JSON

A use-after-free in res_pjsip_pubsub.c in Sangoma Asterisk 16.28, 18.14, 19.6, and certified/18.9-cert2 may allow a remote authenticated attacker to crash Asterisk (denial of service) by performing activity on a subscription via a reliable transport at the same time that Asterisk is also performing activity on that subscription.

Affected configurations

Nvd

Node

sangomaasteriskRange16.0.0–16.29.1

sangomaasteriskRange18.14.0–18.15.1

sangomaasteriskRange19.6.0–19.7.1

sangomaasteriskMatch20.0.0

sangomacertified_asteriskMatch18.9cert2

VendorProductVersionCPE
sangomaasterisk*cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*
sangomaasterisk20.0.0cpe:2.3:a:sangoma:asterisk:20.0.0:*:*:*:*:*:*:*
sangomacertified_asterisk18.9cpe:2.3:a:sangoma:certified_asterisk:18.9:cert2:*:*:*:*:*:*

Vendor	Product	Version	CPE
sangoma	asterisk	*	cpe:2.3:a:sangoma:asterisk::::::::
sangoma	asterisk	20.0.0	cpe:2.3:a:sangoma:asterisk:20.0.0:::::::*
sangoma	certified_asterisk	18.9	cpe:2.3:a:sangoma:certified_asterisk:18.9:cert2::::::