CVE-2023-37457

EPSS 0.05%
Veröffentlicht 14.12.2023 20:15:52
Zuletzt bearbeitet 21.11.2024 08:11:44
Quelle security-advisories@github.com
Teams Watchlist Login
Unerledigt Login

Asterisk is an open source private branch exchange and telephony toolkit. In Asterisk versions 18.20.0 and prior, 20.5.0 and prior, and 21.0.0; as well as ceritifed-asterisk 18.9-cert5 and prior, the 'update' functionality of the PJSIP_HEADER dialplan function can exceed the available buffer space for storing the new value of a header. By doing so this can overwrite memory or cause a crash. This is not externally exploitable, unless dialplan is explicitly written to update a header based on data from an outside source. If the 'update' functionality is not used the vulnerability does not occur. A patch is available at commit a1ca0268254374b515fa5992f01340f7717113fa.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Digium ≫ Asterisk Version <= 18.20.0

Digium ≫ Asterisk Version >= 19.0.0 <= 20.5.0

Digium ≫ Asterisk Version21.0.0

Sangoma ≫ Certified Asterisk Version13.13.0

Sangoma ≫ Certified Asterisk Version13.13.0 Updatecert1

Sangoma ≫ Certified Asterisk Version13.13.0 Updatecert1-rc1

Sangoma ≫ Certified Asterisk Version13.13.0 Updatecert1-rc2

Sangoma ≫ Certified Asterisk Version13.13.0 Updatecert1-rc3

Sangoma ≫ Certified Asterisk Version13.13.0 Updatecert1-rc4

Sangoma ≫ Certified Asterisk Version13.13.0 Updatecert2

Sangoma ≫ Certified Asterisk Version13.13.0 Updatecert3

Sangoma ≫ Certified Asterisk Version13.13.0 Updaterc1

Sangoma ≫ Certified Asterisk Version13.13.0 Updaterc2

Sangoma ≫ Certified Asterisk Version16.8.0 Update-

Sangoma ≫ Certified Asterisk Version16.8.0 Updatecert1

Sangoma ≫ Certified Asterisk Version16.8.0 Updatecert10

Sangoma ≫ Certified Asterisk Version16.8.0 Updatecert11

Sangoma ≫ Certified Asterisk Version16.8.0 Updatecert12

Sangoma ≫ Certified Asterisk Version16.8.0 Updatecert2

Sangoma ≫ Certified Asterisk Version16.8.0 Updatecert3

Sangoma ≫ Certified Asterisk Version16.8.0 Updatecert4

Sangoma ≫ Certified Asterisk Version16.8.0 Updatecert5

Sangoma ≫ Certified Asterisk Version16.8.0 Updatecert6

Sangoma ≫ Certified Asterisk Version16.8.0 Updatecert7

Sangoma ≫ Certified Asterisk Version16.8.0 Updatecert8

Sangoma ≫ Certified Asterisk Version16.8.0 Updatecert9

Sangoma ≫ Certified Asterisk Version18.9 Updatecert1

Sangoma ≫ Certified Asterisk Version18.9 Updatecert2

Sangoma ≫ Certified Asterisk Version18.9 Updatecert3

Sangoma ≫ Certified Asterisk Version18.9 Updatecert4

Sangoma ≫ Certified Asterisk Version18.9 Updatecert5

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.05%	0.141

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.2	3.9	4.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
security-advisories@github.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.

https://lists.debian.org/debian-lts-announce/2023/12/msg00019.html

https://github.com/asterisk/asterisk/commit/a1ca0268254374b515fa5992f01340f7717113fa

Patch

https://github.com/asterisk/asterisk/security/advisories/GHSA-98rc-4j27-74hh

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-37457

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-37457

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-37457

EUVD