CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
EPSS
Percentile
75.4%
The SIP channel driver in Asterisk Open Source 1.8.x before 1.8.20.2, 10.x
before 10.12.2, and 11.x before 11.2.2; Certified Asterisk 1.8.15 before
1.8.15-cert2; Asterisk Business Edition (BE) C.3.x before C.3.8.1; and
Asterisk Digiumphones 10.x-digiumphones before 10.12.2-digiumphones
exhibits different behavior for invalid INVITE, SUBSCRIBE, and REGISTER
transactions depending on whether the user account exists, which allows
remote attackers to enumerate account names by (1) reading HTTP status
codes, (2) reading additional text in a 403 (aka Forbidden) response, or
(3) observing whether certain retransmissions occur.