6.5
CVE-2025-49832
- EPSS 0.35%
- Veröffentlicht 01.08.2025 17:57:29
- Zuletzt bearbeitet 04.08.2025 15:06:15
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Asterisk is Vulnerable to Remote DoS and possible RCE Attacks During Memory Allocation
Asterisk is an open source private branch exchange and telephony toolkit. In versions up to and including 18.26.2, between 20.00.0 and 20.15.0, 20.7-cert6, 21.00.0, 22.00.0 through 22.5.0, there is a remote DoS and possible RCE condition in `asterisk/res/res_stir_shaken /verification.c` that can be exploited when an attacker can set an arbitrary Identity header, or STIR/SHAKEN is enabled, with verification set in the SIP profile associated with the endpoint to be attacked. This is fixed in versions 18.26.3, 20.7-cert6, 20.15.1, 21.10.1 and 22.5.1.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
Herstellerasterisk
≫
Produkt
asterisk
Version
< 18.26.3
Status
affected
Version
>= 20.00.0, < 20.15.1
Status
affected
Version
>= 21.00.0, < 21.10.1
Status
affected
Version
>= 22.00.0, < 22.5.1
Status
affected
Version
>= 20.7-cert6, < 20.7-cert7
Status
affected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.35% | 0.571 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 6.5 | 2.8 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
|
CWE-476 NULL Pointer Dereference
The product dereferences a pointer that it expects to be valid but is NULL.