Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2025-49832

Опубликовано: 01 авг. 2025
Источник: nvd
CVSS3: 6.5
EPSS Низкий

Описание

Asterisk is an open source private branch exchange and telephony toolkit. In versions up to and including 18.26.2, between 20.00.0 and 20.15.0, 20.7-cert6, 21.00.0, 22.00.0 through 22.5.0, there is a remote DoS and possible RCE condition in asterisk/res/res_stir_shaken /verification.c that can be exploited when an attacker can set an arbitrary Identity header, or STIR/SHAKEN is enabled, with verification set in the SIP profile associated with the endpoint to be attacked. This is fixed in versions 18.26.3, 20.7-cert6, 20.15.1, 21.10.1 and 22.5.1.

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*
Версия до 18.26.3 (исключая)
cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*
Версия от 20.0.0 (включая) до 20.15.1 (исключая)
cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*
Версия от 21.0.0 (включая) до 21.10.1 (исключая)
cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*
Версия от 22.0.0 (включая) до 22.5.1 (исключая)
Конфигурация 2

Одно из

cpe:2.3:a:sangoma:certified_asterisk:*:*:*:*:*:*:*:*
Версия до 18.9 (включая)
cpe:2.3:a:sangoma:certified_asterisk:20.7:cert1:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:20.7:cert1-rc1:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:20.7:cert1-rc2:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:20.7:cert2:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:20.7:cert3:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:20.7:cert4:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:20.7:cert5:*:*:*:*:*:*
cpe:2.3:a:sangoma:certified_asterisk:20.7:cert6:*:*:*:*:*:*

EPSS

Процентиль: 46%
0.00235
Низкий

6.5 Medium

CVSS3

Дефекты

CWE-476

Связанные уязвимости

ubuntu логотип

CVE-2025-49832

CVSS3: 6.5
ubuntu
6 месяцев назад

Asterisk is an open source private branch exchange and telephony toolkit. In versions up to and including 18.26.2, between 20.00.0 and 20.15.0, 20.7-cert6, 21.00.0, 22.00.0 through 22.5.0, there is a remote DoS and possible RCE condition in `asterisk/res/res_stir_shaken /verification.c` that can be exploited when an attacker can set an arbitrary Identity header, or STIR/SHAKEN is enabled, with verification set in the SIP profile associated with the endpoint to be attacked. This is fixed in versions 18.26.3, 20.7-cert6, 20.15.1, 21.10.1 and 22.5.1.

debian логотип

CVE-2025-49832

CVSS3: 6.5
debian
6 месяцев назад

Asterisk is an open source private branch exchange and telephony toolk ...

EPSS

Процентиль: 46%
0.00235
Низкий

6.5 Medium

CVSS3

Дефекты

CWE-476