Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2025-49832

Опубликовано: 01 авг. 2025
Источник: debian
EPSS Низкий

Описание

Asterisk is an open source private branch exchange and telephony toolkit. In versions up to and including 18.26.2, between 20.00.0 and 20.15.0, 20.7-cert6, 21.00.0, 22.00.0 through 22.5.0, there is a remote DoS and possible RCE condition in `asterisk/res/res_stir_shaken /verification.c` that can be exploited when an attacker can set an arbitrary Identity header, or STIR/SHAKEN is enabled, with verification set in the SIP profile associated with the endpoint to be attacked. This is fixed in versions 18.26.3, 20.7-cert6, 20.15.1, 21.10.1 and 22.5.1.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
asteriskfixed1:22.5.1~dfsg+~cs6.15.60671435-1package
asterisknot-affectedbullseyepackage

Примечания

  • https://github.com/asterisk/asterisk/security/advisories/GHSA-mrq5-74j5-f5cr

  • Introduced by: https://github.com/asterisk/asterisk/commit/628f8d7a43517e5da5becda33471dc2c44841bb6 (22.0.0-pre1)

  • Earliest version with backport of the vulnerable code is 18.22.0-rc1

  • Fixed by: https://github.com/asterisk/asterisk/commit/723410e3126e2d6a6a05e89cdf0cb23f4556af3a (master)

  • Fixed by: https://github.com/asterisk/asterisk/commit/f8c6ad7916a9d233eb9e685365132e0435535216 (22.5.1)

EPSS

Процентиль: 42%
0.002
Низкий

Связанные уязвимости

ubuntu логотип

CVE-2025-49832

CVSS3: 6.5
ubuntu
около 1 месяца назад

Asterisk is an open source private branch exchange and telephony toolkit. In versions up to and including 18.26.2, between 20.00.0 and 20.15.0, 20.7-cert6, 21.00.0, 22.00.0 through 22.5.0, there is a remote DoS and possible RCE condition in `asterisk/res/res_stir_shaken /verification.c` that can be exploited when an attacker can set an arbitrary Identity header, or STIR/SHAKEN is enabled, with verification set in the SIP profile associated with the endpoint to be attacked. This is fixed in versions 18.26.3, 20.7-cert6, 20.15.1, 21.10.1 and 22.5.1.

nvd логотип

CVE-2025-49832

CVSS3: 6.5
nvd
около 1 месяца назад

Asterisk is an open source private branch exchange and telephony toolkit. In versions up to and including 18.26.2, between 20.00.0 and 20.15.0, 20.7-cert6, 21.00.0, 22.00.0 through 22.5.0, there is a remote DoS and possible RCE condition in `asterisk/res/res_stir_shaken /verification.c` that can be exploited when an attacker can set an arbitrary Identity header, or STIR/SHAKEN is enabled, with verification set in the SIP profile associated with the endpoint to be attacked. This is fixed in versions 18.26.3, 20.7-cert6, 20.15.1, 21.10.1 and 22.5.1.

EPSS

Процентиль: 42%
0.002
Низкий