7.5

CVE-2018-17281

There is a stack consumption vulnerability in the res_http_websocket.so module of Asterisk through 13.23.0, 14.7.x through 14.7.7, and 15.x through 15.6.0 and Certified Asterisk through 13.21-cert2. It allows an attacker to crash Asterisk via a specially crafted HTTP request to upgrade the connection to a websocket.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
DigiumAsterisk SwEditionlts Version >= 13.0.0 <= 13.23.0
DigiumAsterisk Version >= 14.0.0 <= 14.7.7
DigiumAsterisk SwEditionstandard Version >= 15.0.0 <= 15.6.0
DigiumCertified Asterisk Version11.6 Updatecert12 SwEditionlts
DigiumCertified Asterisk Version11.6 Updatecert13 SwEditionlts
DigiumCertified Asterisk Version11.6 Updatecert14 SwEditionlts
DigiumCertified Asterisk Version11.6 Updatecert15 SwEditionlts
DigiumCertified Asterisk Version11.6 Updatecert16 SwEditionlts
DigiumCertified Asterisk Version11.6 Updatecert17 SwEditionlts
DigiumCertified Asterisk Version11.6 Updatecert18 SwEditionlts
DigiumCertified Asterisk Version13.1 Updatecert3 SwEditionlts
DigiumCertified Asterisk Version13.1 Updatecert4 SwEditionlts
DigiumCertified Asterisk Version13.1 Updatecert5 SwEditionlts
DigiumCertified Asterisk Version13.1 Updatecert6 SwEditionlts
DigiumCertified Asterisk Version13.1 Updatecert7 SwEditionlts
DigiumCertified Asterisk Version13.1 Updatecert8 SwEditionlts
DigiumCertified Asterisk Version13.8 Updatecert1 SwEditionlts
DigiumCertified Asterisk Version13.8 Updatecert2 SwEditionlts
DigiumCertified Asterisk Version13.8 Updatecert3 SwEditionlts
DigiumCertified Asterisk Version13.8 Updatecert4 SwEditionlts
DigiumCertified Asterisk Version13.13 Updatecert1 SwEditionlts
DigiumCertified Asterisk Version13.13 Updatecert2 SwEditionlts
DigiumCertified Asterisk Version13.13 Updatecert3 SwEditionlts
DigiumCertified Asterisk Version13.13 Updatecert4 SwEditionlts
DigiumCertified Asterisk Version13.13 Updatecert5 SwEditionlts
DigiumCertified Asterisk Version13.13 Updatecert6 SwEditionlts
DigiumCertified Asterisk Version13.13 Updatecert7 SwEditionlts
DigiumCertified Asterisk Version13.13 Updatecert8 SwEditionlts
DigiumCertified Asterisk Version13.13 Updatecert9 SwEditionlts
DigiumCertified Asterisk Version13.21 Updatecert1 SwEditionlts
DigiumCertified Asterisk Version13.21 Updatecert2 SwEditionlts
DebianDebian Linux Version8.0
DebianDebian Linux Version9.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 53.38% 0.989
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvd@nist.gov 5 10 2.9
AV:N/AC:L/Au:N/C:N/I:N/A:P
CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource.

https://security.gentoo.org/glsa/201811-11
Third Party Advisory
https://www.debian.org/security/2018/dsa-4320
Third Party Advisory
http://downloads.asterisk.org/pub/security/AST-2018-009.html
Patch
Vendor Advisory
http://packetstormsecurity.com/files/149453/Asterisk-Project-Security-Advisory-AST-2018-009.html
Third Party Advisory
VDB Entry
http://seclists.org/fulldisclosure/2018/Sep/31
Patch
Third Party Advisory
Mailing List
http://www.securityfocus.com/bid/105389
Third Party Advisory
VDB Entry
http://www.securitytracker.com/id/1041694
Third Party Advisory
VDB Entry
https://issues.asterisk.org/jira/browse/ASTERISK-28013
Third Party Advisory
Issue Tracking
https://lists.debian.org/debian-lts-announce/2018/09/msg00034.html
Third Party Advisory
Mailing List
https://seclists.org/bugtraq/2018/Sep/53
Patch
Third Party Advisory
Mailing List