7.5

CVE-2018-17281

There is a stack consumption vulnerability in the res_http_websocket.so module of Asterisk through 13.23.0, 14.7.x through 14.7.7, and 15.x through 15.6.0 and Certified Asterisk through 13.21-cert2. It allows an attacker to crash Asterisk via a specially crafted HTTP request to upgrade the connection to a websocket.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)
DigiumAsterisk SwEditionlts Version >= 13.0.0 <= 13.23.0
DigiumAsterisk Version >= 14.0.0 <= 14.7.7
DigiumAsterisk SwEditionstandard Version >= 15.0.0 <= 15.6.0
DigiumCertified Asterisk Version11.6 Updatecert12 SwEditionlts
DigiumCertified Asterisk Version11.6 Updatecert13 SwEditionlts
DigiumCertified Asterisk Version11.6 Updatecert14 SwEditionlts
DigiumCertified Asterisk Version11.6 Updatecert15 SwEditionlts
DigiumCertified Asterisk Version11.6 Updatecert16 SwEditionlts
DigiumCertified Asterisk Version11.6 Updatecert17 SwEditionlts
DigiumCertified Asterisk Version11.6 Updatecert18 SwEditionlts
DigiumCertified Asterisk Version13.1 Updatecert3 SwEditionlts
DigiumCertified Asterisk Version13.1 Updatecert4 SwEditionlts
DigiumCertified Asterisk Version13.1 Updatecert5 SwEditionlts
DigiumCertified Asterisk Version13.1 Updatecert6 SwEditionlts
DigiumCertified Asterisk Version13.1 Updatecert7 SwEditionlts
DigiumCertified Asterisk Version13.1 Updatecert8 SwEditionlts
DigiumCertified Asterisk Version13.8 Updatecert1 SwEditionlts
DigiumCertified Asterisk Version13.8 Updatecert2 SwEditionlts
DigiumCertified Asterisk Version13.8 Updatecert3 SwEditionlts
DigiumCertified Asterisk Version13.8 Updatecert4 SwEditionlts
DigiumCertified Asterisk Version13.13 Updatecert1 SwEditionlts
DigiumCertified Asterisk Version13.13 Updatecert2 SwEditionlts
DigiumCertified Asterisk Version13.13 Updatecert3 SwEditionlts
DigiumCertified Asterisk Version13.13 Updatecert4 SwEditionlts
DigiumCertified Asterisk Version13.13 Updatecert5 SwEditionlts
DigiumCertified Asterisk Version13.13 Updatecert6 SwEditionlts
DigiumCertified Asterisk Version13.13 Updatecert7 SwEditionlts
DigiumCertified Asterisk Version13.13 Updatecert8 SwEditionlts
DigiumCertified Asterisk Version13.13 Updatecert9 SwEditionlts
DigiumCertified Asterisk Version13.21 Updatecert1 SwEditionlts
DigiumCertified Asterisk Version13.21 Updatecert2 SwEditionlts
DebianDebian Linux Version8.0
DebianDebian Linux Version9.0
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 80.65% 0.991
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvd@nist.gov 5 10 2.9
AV:N/AC:L/Au:N/C:N/I:N/A:P
CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

http://seclists.org/fulldisclosure/2018/Sep/31
Patch
Third Party Advisory
Mailing List
http://www.securityfocus.com/bid/105389
Third Party Advisory
VDB Entry
http://www.securitytracker.com/id/1041694
Third Party Advisory
VDB Entry
https://issues.asterisk.org/jira/browse/ASTERISK-28013
Third Party Advisory
Issue Tracking
https://seclists.org/bugtraq/2018/Sep/53
Patch
Third Party Advisory
Mailing List