CVE-2018-17281

EPSS 80.65%
Published 24.09.2018 22:29:01
Last modified 21.11.2024 03:54:10
Source cve@mitre.org
Teams watchlist Login
Open Login

There is a stack consumption vulnerability in the res_http_websocket.so module of Asterisk through 13.23.0, 14.7.x through 14.7.7, and 15.x through 15.6.0 and Certified Asterisk through 13.21-cert2. It allows an attacker to crash Asterisk via a specially crafted HTTP request to upgrade the connection to a websocket.

Affected products Warnungen 0 Metrics 3 CWE 1 References 13

Data is provided by the National Vulnerability Database (NVD)

Digium ≫ Asterisk SwEditionlts Version >= 13.0.0 <= 13.23.0

Digium ≫ Asterisk Version >= 14.0.0 <= 14.7.7

Digium ≫ Asterisk SwEditionstandard Version >= 15.0.0 <= 15.6.0

Digium ≫ Certified Asterisk Version11.6 Updatecert12 SwEditionlts

Digium ≫ Certified Asterisk Version11.6 Updatecert13 SwEditionlts

Digium ≫ Certified Asterisk Version11.6 Updatecert14 SwEditionlts

Digium ≫ Certified Asterisk Version11.6 Updatecert15 SwEditionlts

Digium ≫ Certified Asterisk Version11.6 Updatecert16 SwEditionlts

Digium ≫ Certified Asterisk Version11.6 Updatecert17 SwEditionlts

Digium ≫ Certified Asterisk Version11.6 Updatecert18 SwEditionlts

Digium ≫ Certified Asterisk Version13.1 Updatecert3 SwEditionlts

Digium ≫ Certified Asterisk Version13.1 Updatecert4 SwEditionlts

Digium ≫ Certified Asterisk Version13.1 Updatecert5 SwEditionlts

Digium ≫ Certified Asterisk Version13.1 Updatecert6 SwEditionlts

Digium ≫ Certified Asterisk Version13.1 Updatecert7 SwEditionlts

Digium ≫ Certified Asterisk Version13.1 Updatecert8 SwEditionlts

Digium ≫ Certified Asterisk Version13.8 Updatecert1 SwEditionlts

Digium ≫ Certified Asterisk Version13.8 Updatecert2 SwEditionlts

Digium ≫ Certified Asterisk Version13.8 Updatecert3 SwEditionlts

Digium ≫ Certified Asterisk Version13.8 Updatecert4 SwEditionlts

Digium ≫ Certified Asterisk Version13.13 Updatecert1 SwEditionlts

Digium ≫ Certified Asterisk Version13.13 Updatecert2 SwEditionlts

Digium ≫ Certified Asterisk Version13.13 Updatecert3 SwEditionlts

Digium ≫ Certified Asterisk Version13.13 Updatecert4 SwEditionlts

Digium ≫ Certified Asterisk Version13.13 Updatecert5 SwEditionlts

Digium ≫ Certified Asterisk Version13.13 Updatecert6 SwEditionlts

Digium ≫ Certified Asterisk Version13.13 Updatecert7 SwEditionlts

Digium ≫ Certified Asterisk Version13.13 Updatecert8 SwEditionlts

Digium ≫ Certified Asterisk Version13.13 Updatecert9 SwEditionlts

Digium ≫ Certified Asterisk Version13.21 Updatecert1 SwEditionlts

Digium ≫ Certified Asterisk Version13.21 Updatecert2 SwEditionlts

Debian ≫ Debian Linux Version8.0

Debian ≫ Debian Linux Version9.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	80.65%	0.991

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:N/A:P

CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

https://security.gentoo.org/glsa/201811-11

Third Party Advisory

https://www.debian.org/security/2018/dsa-4320

Third Party Advisory

http://downloads.asterisk.org/pub/security/AST-2018-009.html

Patch

Vendor Advisory

http://packetstormsecurity.com/files/149453/Asterisk-Project-Security-Advisory-AST-2018-009.html

Third Party Advisory

VDB Entry

http://seclists.org/fulldisclosure/2018/Sep/31

Patch