Lucene search

K

[email protected]NVD:CVE-2023-37457

HistoryDec 14, 2023 - 8:15 p.m.

CVE-2023-37457

2023-12-1420:15:52

CWE-120

[email protected]

web.nvd.nist.gov

1

asterisk

pjsip_header

update

vulnerability

buffer space

memory

crash

patch

cve-2023-37457

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

0.001 Low

EPSS

Percentile

46.6%

Asterisk is an open source private branch exchange and telephony toolkit. In Asterisk versions 18.20.0 and prior, 20.5.0 and prior, and 21.0.0; as well as ceritifed-asterisk 18.9-cert5 and prior, the ‘update’ functionality of the PJSIP_HEADER dialplan function can exceed the available buffer space for storing the new value of a header. By doing so this can overwrite memory or cause a crash. This is not externally exploitable, unless dialplan is explicitly written to update a header based on data from an outside source. If the ‘update’ functionality is not used the vulnerability does not occur. A patch is available at commit a1ca0268254374b515fa5992f01340f7717113fa.

Affected configurations

NVD

Node

digiumasteriskRange≤18.20.0

OR

digiumasteriskRange19.0.0–20.5.0

OR

digiumasteriskMatch21.0.0

OR

sangomacertified_asteriskMatch13.13.0

OR

sangomacertified_asteriskMatch13.13.0cert1

OR

sangomacertified_asteriskMatch13.13.0cert1-rc1

OR

sangomacertified_asteriskMatch13.13.0cert1-rc2

OR

sangomacertified_asteriskMatch13.13.0cert1-rc3

OR

sangomacertified_asteriskMatch13.13.0cert1-rc4

OR

sangomacertified_asteriskMatch13.13.0cert2

OR

sangomacertified_asteriskMatch13.13.0cert3

OR

sangomacertified_asteriskMatch13.13.0rc1

OR

sangomacertified_asteriskMatch13.13.0rc2

OR

sangomacertified_asteriskMatch16.8.0-

OR

sangomacertified_asteriskMatch16.8.0cert1

OR

sangomacertified_asteriskMatch16.8.0cert10

OR

sangomacertified_asteriskMatch16.8.0cert11

OR

sangomacertified_asteriskMatch16.8.0cert12

OR

sangomacertified_asteriskMatch16.8.0cert2

OR

sangomacertified_asteriskMatch16.8.0cert3

OR

sangomacertified_asteriskMatch16.8.0cert4

OR

sangomacertified_asteriskMatch16.8.0cert5

OR

sangomacertified_asteriskMatch16.8.0cert6

OR

sangomacertified_asteriskMatch16.8.0cert7

OR

sangomacertified_asteriskMatch16.8.0cert8

OR

sangomacertified_asteriskMatch16.8.0cert9

OR

sangomacertified_asteriskMatch18.9cert1

OR

sangomacertified_asteriskMatch18.9cert2

OR

sangomacertified_asteriskMatch18.9cert3

OR

sangomacertified_asteriskMatch18.9cert4

OR

sangomacertified_asteriskMatch18.9cert5

References

github.com/asterisk/asterisk/commit/a1ca0268254374b515fa5992f01340f7717113fa

github.com/asterisk/asterisk/security/advisories/GHSA-98rc-4j27-74hh

lists.debian.org/debian-lts-announce/2023/12/msg00019.html

8.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

0.001 Low

EPSS

Percentile

46.6%

Related for NVD:CVE-2023-37457

osv3 cnvd1 debiancve1 cvelist1 prion1 veracode1 alpinelinux1 ubuntucve1 cve1 openvas3 debian2