7.5

CVE-2021-32558

Exploit

An issue was discovered in Sangoma Asterisk 13.x before 13.38.3, 16.x before 16.19.1, 17.x before 17.9.4, and 18.x before 18.5.1, and Certified Asterisk before 16.8-cert10. If the IAX2 channel driver receives a packet that contains an unsupported media format, a crash can occur.

Data is provided by the National Vulnerability Database (NVD)
DigiumAsterisk Version >= 13.0.0 < 13.38.3
DigiumAsterisk Version >= 16.0.0 < 16.19.1
DigiumAsterisk Version >= 17.0.0 < 17.9.4
DigiumAsterisk Version >= 18.0.0 < 18.15.1
DigiumCertified Asterisk Version16.8 Update-
DigiumCertified Asterisk Version16.8 Updatecert1-rc1
DigiumCertified Asterisk Version16.8 Updatecert1-rc2
DigiumCertified Asterisk Version16.8 Updatecert1-rc3
DigiumCertified Asterisk Version16.8 Updatecert1-rc4
DigiumCertified Asterisk Version16.8 Updatecert2
DigiumCertified Asterisk Version16.8 Updatecert3
DigiumCertified Asterisk Version16.8 Updatecert4
DigiumCertified Asterisk Version16.8 Updatecert4-rc1
DigiumCertified Asterisk Version16.8 Updatecert4-rc2
DigiumCertified Asterisk Version16.8 Updatecert4-rc3
DigiumCertified Asterisk Version16.8 Updatecert4-rc4
DigiumCertified Asterisk Version16.8 Updatecert5
DigiumCertified Asterisk Version16.8 Updatecert6
DigiumCertified Asterisk Version16.8 Updatecert7
DigiumCertified Asterisk Version16.8 Updatecert8
DigiumCertified Asterisk Version16.8 Updatecert9
DebianDebian Linux Version9.0
DebianDebian Linux Version11.0
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 2.48% 0.847
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvd@nist.gov 5 10 2.9
AV:N/AC:L/Au:N/C:N/I:N/A:P
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

http://seclists.org/fulldisclosure/2021/Jul/49
Patch
Third Party Advisory
Mailing List
https://issues.asterisk.org/jira/browse/ASTERISK-29392
Patch
Vendor Advisory
Exploit
Issue Tracking