CVE-2023-37457

Опубликовано: 14 дек. 2023

Источник: nvd

CVSS3: 7.5

CVSS3: 8.2

EPSS Низкий

Описание

Asterisk is an open source private branch exchange and telephony toolkit. In Asterisk versions 18.20.0 and prior, 20.5.0 and prior, and 21.0.0; as well as ceritifed-asterisk 18.9-cert5 and prior, the 'update' functionality of the PJSIP_HEADER dialplan function can exceed the available buffer space for storing the new value of a header. By doing so this can overwrite memory or cause a crash. This is not externally exploitable, unless dialplan is explicitly written to update a header based on data from an outside source. If the 'update' functionality is not used the vulnerability does not occur. A patch is available at commit a1ca0268254374b515fa5992f01340f7717113fa.

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:digium:asterisk:*:*:*:*:*:*:*:*

Версия до 18.20.0 (включая)

cpe:2.3:a:digium:asterisk:*:*:*:*:*:*:*:*

Версия от 19.0.0 (включая) до 20.5.0 (включая)

cpe:2.3:a:digium:asterisk:21.0.0:*:*:*:*:*:*:*

cpe:2.3:a:sangoma:certified_asterisk:13.13.0:*:*:*:*:*:*:*

cpe:2.3:a:sangoma:certified_asterisk:13.13.0:cert1:*:*:*:*:*:*

cpe:2.3:a:sangoma:certified_asterisk:13.13.0:cert1-rc1:*:*:*:*:*:*

cpe:2.3:a:sangoma:certified_asterisk:13.13.0:cert1-rc2:*:*:*:*:*:*

cpe:2.3:a:sangoma:certified_asterisk:13.13.0:cert1-rc3:*:*:*:*:*:*

cpe:2.3:a:sangoma:certified_asterisk:13.13.0:cert1-rc4:*:*:*:*:*:*

cpe:2.3:a:sangoma:certified_asterisk:13.13.0:cert2:*:*:*:*:*:*

cpe:2.3:a:sangoma:certified_asterisk:13.13.0:cert3:*:*:*:*:*:*

cpe:2.3:a:sangoma:certified_asterisk:13.13.0:rc1:*:*:*:*:*:*

cpe:2.3:a:sangoma:certified_asterisk:13.13.0:rc2:*:*:*:*:*:*

cpe:2.3:a:sangoma:certified_asterisk:16.8.0:-:*:*:*:*:*:*

cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert1:*:*:*:*:*:*

cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert10:*:*:*:*:*:*

cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert11:*:*:*:*:*:*

cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert12:*:*:*:*:*:*

cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert2:*:*:*:*:*:*

cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert3:*:*:*:*:*:*

cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert4:*:*:*:*:*:*

cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert5:*:*:*:*:*:*

cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert6:*:*:*:*:*:*

cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert7:*:*:*:*:*:*

cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert8:*:*:*:*:*:*

cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert9:*:*:*:*:*:*

cpe:2.3:a:sangoma:certified_asterisk:18.9:cert1:*:*:*:*:*:*

cpe:2.3:a:sangoma:certified_asterisk:18.9:cert2:*:*:*:*:*:*

cpe:2.3:a:sangoma:certified_asterisk:18.9:cert3:*:*:*:*:*:*

cpe:2.3:a:sangoma:certified_asterisk:18.9:cert4:*:*:*:*:*:*

cpe:2.3:a:sangoma:certified_asterisk:18.9:cert5:*:*:*:*:*:*

EPSS

Процентиль: 15%

0.00047

Низкий

7.5 High

CVSS3

8.2 High

CVSS3

Дефекты

CWE-120

Связанные уязвимости

CVE-2023-37457

CVSS3: 7.5

ubuntu

больше 1 года назад

CVE-2023-37457

CVSS3: 7.5

debian

больше 1 года назад

Asterisk is an open source private branch exchange and telephony toolk ...

BDU:2023-08817

CVSS3: 7.5

fstec

почти 2 года назад

Уязвимость функции PJSIP_HEADER() систем управления IP-телефонией Asterisk и Certified Asterisk, позволяющая нарушителю вызвать отказ в обслуживании

ROS-20240807-03

CVSS3: 7.5

redos

11 месяцев назад

Множественные уязвимости asterisk

EPSS

Процентиль: 15%

0.00047

Низкий

7.5 High

CVSS3

8.2 High

CVSS3

Дефекты

CWE-120