Published: 12/06/2018 Updated: 29/03/2019

CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10

CVSS v3 Base Score: 5.3 | Impact Score: 1.4 | Exploitability Score: 3.9

VMScore: 445

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

An issue exists in Asterisk Open Source 13.x prior to 13.21.1, 14.x prior to 14.7.7, and 15.x prior to 15.4.1 and Certified Asterisk 13.18-cert prior to 13.18-cert4 and 13.21-cert prior to 13.21-cert2. When endpoint specific ACL rules block a SIP request, they respond with a 403 forbidden. However, if an endpoint is not identified, then a 401 unauthorized response is sent. This vulnerability just discloses which requests hit a defined endpoint. The ACL rules cannot be bypassed to gain access to the disclosed endpoints.

Vulnerable Product	Search on Vulmon	Subscribe to Product
digium asterisk
digium certified asterisk 13.21
digium certified asterisk 13.18
debian debian linux 9.0

Multiple vulnerabilities have been discovered in Asterisk, an open source PBX and telephony toolkit, which may result in denial of service or information disclosure For the stable distribution (stretch), these problems have been fixed in version 1:13141~dfsg-2+deb9u4 We recommend that you upgrade your asterisk packages For the detailed securit ...

Debian Bug report logs - #902954 CVE-2018-12227 Package: src:asterisk; Maintainer for src:asterisk is Debian VoIP Team <pkg-voip-maintainers@listsaliothdebianorg>; Reported by: Moritz Muehlenhoff <jmm@debianorg> Date: Tue, 3 Jul 2018 21:00:02 UTC Severity: normal Tags: security Found in version asterisk/1:1314 ...

Debian Bug report logs - #891228 asterisk: CVE-2018-7286: AST-2018-005: Crash when large numbers of TCP connections are closed suddenly Package: src:asterisk; Maintainer for src:asterisk is Debian VoIP Team <pkg-voip-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Fri, ...

Debian Bug report logs - #909554 asterisk: CVE-2018-17281: Remote crash vulnerability in HTTP websocket upgrade Package: src:asterisk; Maintainer for src:asterisk is Debian VoIP Team <pkg-voip-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Tue, 25 Sep 2018 05:27:01 UT ...

Debian Bug report logs - #891227 asterisk: CVE-2018-7284: AST-2018-004: Crash when receiving SUBSCRIBE request Package: src:asterisk; Maintainer for src:asterisk is Debian VoIP Team <pkg-voip-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Fri, 23 Feb 2018 15:09:02 UTC ...

CWE-200 https://issues.asterisk.org/jira/browse/ASTERISK-27818 http://downloads.asterisk.org/pub/security/AST-2018-008.html http://www.securityfocus.com/bid/104455 https://www.debian.org/security/2018/dsa-4320 https://security.gentoo.org/glsa/201811-11 https://nvd.nist.gov https://www.debian.org/security/./dsa-4320

CVE-2018-12227

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect