5.7

CVE-2024-42491

A malformed Contact or Record-Route URI in an incoming SIP request can cause Asterisk to crash when res_resolver_unbound is used

Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.24.3, 20.9.3, and 21.4.3 of Asterisk and versions 18.9-cert12 and 20.7-cert2 of certified-asterisk, if Asterisk attempts to send a SIP request to a URI whose host portion starts with `.1` or `[.1]`, and res_resolver_unbound is loaded, Asterisk will crash with a SEGV. To receive a patch, users should upgrade to one of the following versions: 18.24.3, 20.9.3, 21.4.3, certified-18.9-cert12, certified-20.7-cert2. Two workarounds are available. Disable res_resolver_unbound by setting `noload = res_resolver_unbound.so` in modules.conf, or set `rewrite_contact = yes` on all PJSIP endpoints. NOTE: This may not be appropriate for all Asterisk configurations.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
SangomaAsterisk Version < 18.24.3
SangomaAsterisk Version >= 20.0.0 < 20.9.3
SangomaAsterisk Version >= 21.0.0 <= 21.4.3
SangomaCertified Asterisk Version < 18.9
SangomaCertified Asterisk Version18.9 Update-
SangomaCertified Asterisk Version18.9 Updatecert1
SangomaCertified Asterisk Version18.9 Updatecert1-rc1
SangomaCertified Asterisk Version18.9 Updatecert10
SangomaCertified Asterisk Version18.9 Updatecert11
SangomaCertified Asterisk Version18.9 Updatecert2
SangomaCertified Asterisk Version18.9 Updatecert3
SangomaCertified Asterisk Version18.9 Updatecert4
SangomaCertified Asterisk Version18.9 Updatecert5
SangomaCertified Asterisk Version18.9 Updatecert6
SangomaCertified Asterisk Version18.9 Updatecert7
SangomaCertified Asterisk Version18.9 Updatecert8
SangomaCertified Asterisk Version18.9 Updatecert8-rc1
SangomaCertified Asterisk Version18.9 Updatecert8-rc2
SangomaCertified Asterisk Version18.9 Updatecert9
SangomaCertified Asterisk Version20.7 Updatecert1
SangomaCertified Asterisk Version20.7 Updatecert1-rc1
SangomaCertified Asterisk Version20.7 Updatecert1-rc2
SangomaCertified Asterisk Version20.7 Updatecert2
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.55% 0.419
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security-advisories@github.com 5.7 2.1 3.6
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
CWE-252 Unchecked Return Value

The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.

CWE-476 NULL Pointer Dereference

The product dereferences a pointer that it expects to be valid but is NULL.

https://github.com/asterisk/asterisk/commit/42a2f4ccfa2c7062a15063e765916b3332e34cc4
Patch
https://github.com/asterisk/asterisk/commit/7a0090325bfa9d778a39ae5f7d0a98109e4651c8
Patch
https://github.com/asterisk/asterisk/commit/4f01669c7c41c9184f3cce9a3cf1b2ebf6201742
Patch
https://github.com/asterisk/asterisk/commit/50bf8d4d3064930d28ecf1ce3397b14574d514d2
Patch
https://github.com/asterisk/asterisk/commit/a15050650abf09c10a3c135fab148220cd41d3a0
Patch
https://github.com/asterisk/asterisk/security/advisories/GHSA-v428-g3cw-7hv9
Vendor Advisory
https://lists.debian.org/debian-lts-announce/2024/10/msg00016.html