Search for packages
| purl | pkg:deb/debian/asterisk@1:1.6.2.9-2%2Bsqueeze12 |
| Next non-vulnerable version | 1:22.9.0+dfsg+~cs6.16.60671434-1 |
| Latest non-vulnerable version | 1:22.9.0+dfsg+~cs6.16.60671434-1 |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-111d-qj24-nyde
Aliases: CVE-2012-2415 |
Multiple vulnerabilities in Asterisk might allow remote attackers to execute arbitrary code. |
Affected by 98 other vulnerabilities. |
|
VCID-1qxc-4xk5-2feu
Aliases: CVE-2026-23740 |
Asterisk: Asterisk: Arbitrary code execution and file overwrite as root via insecure ast_coredumper file handling |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-1u6r-4dzb-wfh2
Aliases: CVE-2011-1507 |
Multiple vulnerabilities in Asterisk might allow unauthenticated remote attackers to execute arbitrary code. |
Affected by 98 other vulnerabilities. |
|
VCID-1wuy-5w5r-bubj
Aliases: CVE-2012-1184 |
Multiple vulnerabilities have been found in Asterisk, the worst of which may allow execution of arbitrary code. |
Affected by 98 other vulnerabilities. |
|
VCID-2qjc-yspn-xydj
Aliases: CVE-2025-47780 |
Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk, trying to disallow shell commands to be run via the Asterisk command line interface (CLI) by configuring `cli_permissions.conf` (e.g. with the config line `deny=!*`) does not work which could lead to a security risk. If an administrator running an Asterisk instance relies on the `cli_permissions.conf` file to work and expects it to deny all attempts to execute shell commands, then this could lead to a security vulnerability. Versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk fix the issue. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-2r38-yjx6-uuae
Aliases: CVE-2016-2232 |
security update |
Affected by 90 other vulnerabilities. Affected by 72 other vulnerabilities. |
|
VCID-32hs-eqw2-1kf2
Aliases: CVE-2019-18790 |
An issue was discovered in channels/chan_sip.c in Sangoma Asterisk 13.x before 13.29.2, 16.x before 16.6.2, and 17.x before 17.0.1, and Certified Asterisk 13.21 before cert5. A SIP request can be sent to Asterisk that can change a SIP peer's IP address. A REGISTER does not need to occur, and calls can be hijacked as a result. The only thing that needs to be known is the peer's name; authentication details such as passwords do not need to be known. This vulnerability is only exploitable when the nat option is set to the default, or auto_force_rport. |
Affected by 15 other vulnerabilities. |
|
VCID-34fv-tv5a-tkgw
Aliases: CVE-2022-23537 |
security update |
Affected by 15 other vulnerabilities. |
|
VCID-3jx3-v6c9-3be2
Aliases: CVE-2013-5641 |
Multiple vulnerabilities have been found in Asterisk, the worst of which may allow execution of arbitrary code. |
Affected by 98 other vulnerabilities. Affected by 90 other vulnerabilities. |
|
VCID-43ff-97jw-hkce
Aliases: CVE-2025-1131 |
Multiple vulnerabilities have been discovered in Asterisk, the worst of which can lead to arbitrary code execution. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-48pt-6j6q-jbcn
Aliases: CVE-2022-23608 |
Multiple vulnerabilities have been found in PJSIP, the worst of which could result in arbitrary code execution. |
Affected by 15 other vulnerabilities. |
|
VCID-542z-gtvr-ykck
Aliases: CVE-2012-2416 |
Multiple vulnerabilities in Asterisk might allow remote attackers to execute arbitrary code. |
Affected by 98 other vulnerabilities. |
|
VCID-55vv-7jsj-xqeh
Aliases: CVE-2023-49294 |
Multiple vulnerabilities have been discovered in Asterisk, the worst of which can lead to privilege escalation. |
Affected by 12 other vulnerabilities. |
|
VCID-5yue-52xt-ryhw
Aliases: CVE-2019-18610 |
An issue was discovered in manager.c in Sangoma Asterisk through 13.x, 16.x, 17.x and Certified Asterisk 13.21 through 13.21-cert4. A remote authenticated Asterisk Manager Interface (AMI) user without system authorization could use a specially crafted Originate AMI request to execute arbitrary system commands. |
Affected by 15 other vulnerabilities. |
|
VCID-63fe-saga-13ct
Aliases: CVE-2025-54995 |
Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 18.26.4 and 18.9-cert17, RTP UDP ports and internal resources can leak due to a lack of session termination. This could result in leaks and resource exhaustion. This issue has been patched in versions 18.26.4 and 18.9-cert17. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-67av-c7qh-5kek
Aliases: CVE-2012-3812 |
Multiple vulnerabilities have been found in Asterisk, the worst of which may allow execution of arbitrary code. |
Affected by 98 other vulnerabilities. |
|
VCID-6jv8-3wch-wfew
Aliases: CVE-2016-2316 |
security update |
Affected by 90 other vulnerabilities. Affected by 72 other vulnerabilities. |
|
VCID-6rhm-xrwe-x7af
Aliases: CVE-2021-26717 |
Multiple vulnerabilities have been discovered in Asterisk, the worst of which can lead to privilege escalation. |
Affected by 15 other vulnerabilities. |
|
VCID-6xqn-t8j4-skgs
Aliases: CVE-2011-2535 |
Multiple vulnerabilities in Asterisk might allow unauthenticated remote attackers to execute arbitrary code. |
Affected by 98 other vulnerabilities. |
|
VCID-7kus-4n4f-myd1
Aliases: CVE-2022-26498 |
Multiple vulnerabilities have been discovered in Asterisk, the worst of which can lead to privilege escalation. |
Affected by 15 other vulnerabilities. |
|
VCID-7m8s-6ydk-gbgr
Aliases: CVE-2021-37706 |
Multiple vulnerabilities have been found in PJSIP, the worst of which could result in arbitrary code execution. |
Affected by 15 other vulnerabilities. |
|
VCID-7ner-5xz7-93gz
Aliases: CVE-2018-12227 |
Multiple vulnerabilities have been found in Asterisk, the worst of which could result in a Denial of Service condition. |
Affected by 72 other vulnerabilities. Affected by 57 other vulnerabilities. |
|
VCID-7pts-41xh-mbh4
Aliases: CVE-2012-4737 |
Multiple vulnerabilities have been found in Asterisk, the worst of which may allow execution of arbitrary code. |
Affected by 98 other vulnerabilities. |
|
VCID-7tfx-9358-gygx
Aliases: CVE-2011-1147 |
Multiple vulnerabilities in Asterisk might allow unauthenticated remote attackers to execute arbitrary code. |
Affected by 98 other vulnerabilities. |
|
VCID-7tjs-ybpe-r7hg
Aliases: CVE-2014-8417 |
Multiple vulnerabilities have been found in Asterisk, the worst of which could lead to Denial of Service, bypass intended ACL restrictions or allow an authenticated user to gain escalated privileges. |
Affected by 72 other vulnerabilities. |
|
VCID-8kjy-xtm2-bqan
Aliases: CVE-2026-23739 |
Asterisk: Asterisk: Local file disclosure via unsafe XML parsing |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-8mfb-mmaz-mfab
Aliases: CVE-2011-2216 |
reqresp_parser.c in the SIP channel driver in Asterisk Open Source 1.8.x before 1.8.4.2 does not initialize certain strings, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a malformed Contact header. |
Affected by 98 other vulnerabilities. |
|
VCID-8pdp-epea-juhj
Aliases: CVE-2022-26499 |
Multiple vulnerabilities have been discovered in Asterisk, the worst of which can lead to privilege escalation. |
Affected by 15 other vulnerabilities. |
|
VCID-8qy8-gk53-eufc
Aliases: CVE-2017-16671 |
Multiple vulnerabilities have been found in Asterisk, the worst of which could result in a Denial of Service condition. |
Affected by 57 other vulnerabilities. |
|
VCID-8shw-ev6h-dqgh
Aliases: CVE-2014-8414 |
Multiple vulnerabilities have been found in Asterisk, the worst of which could lead to Denial of Service, bypass intended ACL restrictions or allow an authenticated user to gain escalated privileges. |
Affected by 72 other vulnerabilities. |
|
VCID-8sys-3sj7-c3h6
Aliases: CVE-2022-21722 |
Multiple vulnerabilities have been found in PJSIP, the worst of which could result in arbitrary code execution. |
Affected by 15 other vulnerabilities. |
|
VCID-8yav-jpp1-rfbe
Aliases: CVE-2021-43299 |
security update |
Affected by 15 other vulnerabilities. |
|
VCID-917e-7kp2-y3hw
Aliases: CVE-2019-15297 |
res_pjsip_t38 in Sangoma Asterisk 15.x before 15.7.4 and 16.x before 16.5.1 allows an attacker to trigger a crash by sending a declined stream in a response to a T.38 re-invite initiated by Asterisk. The crash occurs because of a NULL session media object dereference. |
Affected by 15 other vulnerabilities. |
|
VCID-9at6-bgzv-gue3
Aliases: CVE-2022-39269 |
Multiple vulnerabilities have been found in PJSIP, the worst of which could result in arbitrary code execution. |
Affected by 15 other vulnerabilities. |
|
VCID-9f9j-z7y7-sffy
Aliases: CVE-2021-43845 |
Multiple vulnerabilities have been found in PJSIP, the worst of which could result in arbitrary code execution. |
Affected by 15 other vulnerabilities. |
|
VCID-9u4p-wdky-a3h1
Aliases: CVE-2024-42365 |
Asterisk is an open source private branch exchange (PBX) and telephony toolkit. Prior to asterisk versions 18.24.2, 20.9.2, and 21.4.2 and certified-asterisk versions 18.9-cert11 and 20.7-cert2, an AMI user with `write=originate` may change all configuration files in the `/etc/asterisk/` directory. This occurs because they are able to curl remote files and write them to disk, but are also able to append to existing files using the `FILE` function inside the `SET` application. This issue may result in privilege escalation, remote code execution and/or blind server-side request forgery with arbitrary protocol. Asterisk versions 18.24.2, 20.9.2, and 21.4.2 and certified-asterisk versions 18.9-cert11 and 20.7-cert2 contain a fix for this issue. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-9xk8-m5c3-wud8
Aliases: CVE-2011-2666 |
Multiple vulnerabilities in Asterisk might allow unauthenticated remote attackers to execute arbitrary code. |
Affected by 98 other vulnerabilities. |
|
VCID-a2n5-xpy5-gyfh
Aliases: CVE-2017-14100 |
Multiple vulnerabilities have been found in Asterisk, the worst of which allows remote execution of arbitrary shell commands. |
Affected by 90 other vulnerabilities. Affected by 72 other vulnerabilities. Affected by 57 other vulnerabilities. |
|
VCID-ap3n-99gn-aucs
Aliases: CVE-2023-27585 |
A vulnerability has been discovered in PJSIP, which could lead to arbitrary code execution. |
Affected by 15 other vulnerabilities. |
|
VCID-apn8-j2e8-uka5
Aliases: CVE-2011-4598 |
The handle_request_info function in channels/chan_sip.c in Asterisk Open Source 1.6.2.x before 1.6.2.21 and 1.8.x before 1.8.7.2, when automon is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted sequence of SIP requests. |
Affected by 98 other vulnerabilities. |
|
VCID-ay1n-kp3k-37db
Aliases: CVE-2014-8415 |
Race condition in the chan_pjsip channel driver in Asterisk Open Source 12.x before 12.7.1 and 13.x before 13.0.1 allows remote attackers to cause a denial of service (assertion failure and crash) via a cancel request for a SIP session with a queued action to (1) answer a session or (2) send ringing. |
Affected by 72 other vulnerabilities. |
|
VCID-b4z5-5hbq-5ka8
Aliases: CVE-2022-42706 |
Multiple vulnerabilities have been discovered in Asterisk, the worst of which can lead to privilege escalation. |
Affected by 15 other vulnerabilities. |
|
VCID-bbhx-pe8h-fubn
Aliases: CVE-2014-8418 |
Multiple vulnerabilities have been found in Asterisk, the worst of which could lead to Denial of Service, bypass intended ACL restrictions or allow an authenticated user to gain escalated privileges. |
Affected by 72 other vulnerabilities. |
|
VCID-bk8r-brkr-bqc6
Aliases: CVE-2023-49786 |
Multiple vulnerabilities have been discovered in Asterisk, the worst of which can lead to privilege escalation. |
Affected by 12 other vulnerabilities. |
|
VCID-bknu-abgc-bugw
Aliases: CVE-2023-37457 |
Multiple vulnerabilities have been discovered in Asterisk, the worst of which can lead to privilege escalation. |
Affected by 12 other vulnerabilities. |
|
VCID-bv3b-3h5a-s7ez
Aliases: CVE-2012-1183 |
Multiple vulnerabilities have been found in Asterisk, the worst of which may allow execution of arbitrary code. |
Affected by 98 other vulnerabilities. |
|
VCID-byqv-c5jp-6ybg
Aliases: CVE-2021-43301 |
security update |
Affected by 15 other vulnerabilities. |
|
VCID-cupt-538a-z3fp
Aliases: CVE-2022-37325 |
Multiple vulnerabilities have been discovered in Asterisk, the worst of which can lead to privilege escalation. |
Affected by 15 other vulnerabilities. |
|
VCID-cvp4-5uvw-xff2
Aliases: CVE-2012-3863 |
Multiple vulnerabilities have been found in Asterisk, the worst of which may allow execution of arbitrary code. |
Affected by 98 other vulnerabilities. |
|
VCID-czy4-hnuj-fbgx
Aliases: CVE-2011-1174 |
Multiple vulnerabilities in Asterisk might allow unauthenticated remote attackers to execute arbitrary code. |
Affected by 98 other vulnerabilities. |
|
VCID-d8sn-7zbc-4bhy
Aliases: CVE-2012-2414 |
Multiple vulnerabilities in Asterisk might allow remote attackers to execute arbitrary code. |
Affected by 98 other vulnerabilities. |
|
VCID-ddpb-zwva-rfc5
Aliases: CVE-2022-21723 |
Multiple vulnerabilities have been found in PJSIP, the worst of which could result in arbitrary code execution. |
Affected by 15 other vulnerabilities. |
|
VCID-dmv1-4jgk-e3cq
Aliases: CVE-2014-2287 |
Multiple buffer overflows in Asterisk might allow remote attackers to cause a Denial of Service condition. |
Affected by 90 other vulnerabilities. |
|
VCID-dpra-jbea-4fcy
Aliases: CVE-2017-14603 |
Multiple vulnerabilities have been found in Asterisk, the worst of which allows remote execution of arbitrary shell commands. |
Affected by 90 other vulnerabilities. Affected by 72 other vulnerabilities. Affected by 57 other vulnerabilities. |
|
VCID-e1yx-dxa6-1bba
Aliases: CVE-2011-3389 |
Multiple vulnerabilities have been found in the Oracle JRE/JDK, allowing attackers to cause unspecified impact. |
Affected by 72 other vulnerabilities. |
|
VCID-e7t9-pdx7-5kgm
Aliases: CVE-2011-1175 |
Multiple vulnerabilities in Asterisk might allow unauthenticated remote attackers to execute arbitrary code. |
Affected by 98 other vulnerabilities. |
|
VCID-ebcm-kjvz-73cz
Aliases: CVE-2015-1558 |
Asterisk Open Source 12.x before 12.8.1 and 13.x before 13.1.1, when using the PJSIP channel driver, does not properly reclaim RTP ports, which allows remote authenticated users to cause a denial of service (file descriptor consumption) via an SDP offer containing only incompatible codecs. |
Affected by 72 other vulnerabilities. |
|
VCID-edp8-yh2h-xuck
Aliases: CVE-2014-9374 |
Multiple vulnerabilities have been found in Asterisk, the worst of which could lead to Denial of Service, bypass intended ACL restrictions or allow an authenticated user to gain escalated privileges. |
Affected by 72 other vulnerabilities. |
|
VCID-ehd7-39bz-2ybk
Aliases: CVE-2012-5976 |
Multiple vulnerabilities have been found in Asterisk, the worst of which may allow execution of arbitrary code. |
Affected by 98 other vulnerabilities. |
|
VCID-ehx4-qzgr-qbd9
Aliases: CVE-2014-4047 |
Multiple vulnerabilities have been discovered in Asterisk, the worst of which could allow privileged users to execute arbitrary system shell commands. |
Affected by 90 other vulnerabilities. |
|
VCID-epzp-dpmr-33df
Aliases: CVE-2021-32686 |
Multiple vulnerabilities have been found in PJSIP, the worst of which could result in arbitrary code execution. |
Affected by 15 other vulnerabilities. |
|
VCID-eund-5mfa-9kbn
Aliases: CVE-2017-17090 |
security update |
Affected by 90 other vulnerabilities. Affected by 72 other vulnerabilities. Affected by 57 other vulnerabilities. |
|
VCID-f1y5-37zk-x3ey
Aliases: CVE-2014-8413 |
The res_pjsip_acl module in Asterisk Open Source 12.x before 12.7.1 and 13.x before 13.0.1 does not properly create and load ACLs defined in pjsip.conf at startup, which allows remote attackers to bypass intended PJSIP ACL rules. |
Affected by 72 other vulnerabilities. |
|
VCID-f4br-7sgk-27cf
Aliases: CVE-2014-6610 |
Multiple vulnerabilities have been found in Asterisk, the worst of which could lead to Denial of Service. |
Affected by 90 other vulnerabilities. |
|
VCID-f5qc-tsbr-1yap
Aliases: CVE-2021-43804 |
Multiple vulnerabilities have been found in PJSIP, the worst of which could result in arbitrary code execution. |
Affected by 15 other vulnerabilities. |
|
VCID-fjzf-5rtw-rqfj
Aliases: CVE-2021-26906 |
Multiple vulnerabilities have been discovered in Asterisk, the worst of which can lead to privilege escalation. |
Affected by 15 other vulnerabilities. |
|
VCID-fndq-j9d2-afed
Aliases: CVE-2017-17664 |
A Remote Crash issue was discovered in Asterisk Open Source 13.x before 13.18.4, 14.x before 14.7.4, and 15.x before 15.1.4 and Certified Asterisk before 13.13-cert9. Certain compound RTCP packets cause a crash in the RTCP Stack. |
Affected by 57 other vulnerabilities. |
|
VCID-fz7z-xttk-13by
Aliases: CVE-2016-7551 |
security update |
Affected by 90 other vulnerabilities. Affected by 72 other vulnerabilities. |
|
VCID-ggu9-8qd1-4ffx
Aliases: CVE-2018-7286 |
security update |
Affected by 72 other vulnerabilities. Affected by 57 other vulnerabilities. |
|
VCID-gkcp-1zz6-tfb5
Aliases: CVE-2020-28327 |
A res_pjsip_session crash was discovered in Asterisk Open Source 13.x before 13.37.1, 16.x before 16.14.1, 17.x before 17.8.1, and 18.x before 18.0.1. and Certified Asterisk before 16.8-cert5. Upon receiving a new SIP Invite, Asterisk did not return the created dialog locked or referenced. This caused a gap between the creation of the dialog object, and its next use by the thread that created it. Depending on some off-nominal circumstances and timing, it was possible for another thread to free said dialog in this gap. Asterisk could then crash when the dialog object, or any of its dependent objects, were dereferenced or accessed next by the initial-creation thread. Note, however, that this crash can only occur when using a connection-oriented protocol (e.g., TCP or TLS, but not UDP) for SIP transport. Also, the remote client must be authenticated, or Asterisk must be configured for anonymous calling. |
Affected by 15 other vulnerabilities. |
|
VCID-gy3u-c6dc-sbbn
Aliases: CVE-2024-53566 |
An issue in the action_listcategories() function of Sangoma Asterisk v22/22.0.0/22.0.0-rc1/22.0.0-rc2/22.0.0-pre1 allows attackers to execute a path traversal. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-h193-vjhb-j3a3
Aliases: CVE-2021-32558 |
Multiple vulnerabilities have been discovered in Asterisk, the worst of which can lead to privilege escalation. |
Affected by 15 other vulnerabilities. |
|
VCID-h52b-ubb6-byh1
Aliases: CVE-2013-2686 |
Multiple vulnerabilities have been found in Asterisk, the worst of which may allow execution of arbitrary code. |
Affected by 98 other vulnerabilities. |
|
VCID-hj93-7z1r-vkfk
Aliases: CVE-2022-24763 |
Multiple vulnerabilities have been found in PJSIP, the worst of which could result in arbitrary code execution. |
Affected by 15 other vulnerabilities. |
|
VCID-huqt-1fv6-67cz
Aliases: CVE-2020-35652 |
An issue was discovered in res_pjsip_diversion.c in Sangoma Asterisk before 13.38.0, 14.x through 16.x before 16.15.0, 17.x before 17.9.0, and 18.x before 18.1.0. A crash can occur when a SIP message is received with a History-Info header that contains a tel-uri, or when a SIP 181 response is received that contains a tel-uri in the Diversion header. |
Affected by 15 other vulnerabilities. |
|
VCID-hvmt-7qk8-wqh1
Aliases: CVE-2013-5642 |
Multiple vulnerabilities have been found in Asterisk, the worst of which may allow execution of arbitrary code. |
Affected by 98 other vulnerabilities. Affected by 90 other vulnerabilities. |
|
VCID-jwaj-b8n5-bbcx
Aliases: CVE-2016-7550 |
asterisk 13.10.0 is affected by: denial of service issues in asterisk. The impact is: cause a denial of service (remote). |
Affected by 72 other vulnerabilities. |
|
VCID-k1zu-wpsb-wyh3
Aliases: CVE-2017-9358 |
A memory exhaustion vulnerability exists in Asterisk Open Source 13.x before 13.15.1 and 14.x before 14.4.1 and Certified Asterisk 13.13 before 13.13-cert4, which can be triggered by sending specially crafted SCCP packets causing an infinite loop and leading to memory exhaustion (by message logging in that loop). |
Affected by 72 other vulnerabilities. |
|
VCID-kdex-mwf6-13br
Aliases: CVE-2012-2186 |
Multiple vulnerabilities have been found in Asterisk, the worst of which may allow execution of arbitrary code. |
Affected by 98 other vulnerabilities. |
|
VCID-m27d-dqzg-w7gr
Aliases: CVE-2017-7617 |
Remote code execution can occur in Asterisk Open Source 13.x before 13.14.1 and 14.x before 14.3.1 and Certified Asterisk 13.13 before 13.13-cert3 because of a buffer overflow in a CDR user field, related to X-ClientCode in chan_sip, the CDR dialplan function, and the AMI Monitor action. |
Affected by 72 other vulnerabilities. |
|
VCID-mcfv-fuk8-cqaq
Aliases: CVE-2014-8412 |
Multiple vulnerabilities have been found in Asterisk, the worst of which could lead to Denial of Service, bypass intended ACL restrictions or allow an authenticated user to gain escalated privileges. |
Affected by 72 other vulnerabilities. |
|
VCID-mmqp-yesh-83c1
Aliases: CVE-2011-2536 |
Multiple vulnerabilities in Asterisk might allow unauthenticated remote attackers to execute arbitrary code. |
Affected by 98 other vulnerabilities. |
|
VCID-n6mj-v1nc-hke9
Aliases: CVE-2022-24793 |
Multiple vulnerabilities have been found in PJSIP, the worst of which could result in arbitrary code execution. |
Affected by 15 other vulnerabilities. |
|
VCID-nf5d-nejq-mkd9
Aliases: CVE-2021-43303 |
security update |
Affected by 15 other vulnerabilities. |
|
VCID-ngds-k5mh-t3ae
Aliases: CVE-2022-31031 |
Multiple vulnerabilities have been found in PJSIP, the worst of which could result in arbitrary code execution. |
Affected by 15 other vulnerabilities. |
|
VCID-nzu7-8h1d-mbbw
Aliases: CVE-2011-4597 |
The SIP over UDP implementation in Asterisk Open Source 1.4.x before 1.4.43, 1.6.x before 1.6.2.21, and 1.8.x before 1.8.7.2 uses different port numbers for responses to invalid requests depending on whether a SIP username exists, which allows remote attackers to enumerate usernames via a series of requests. |
Affected by 98 other vulnerabilities. |
|
VCID-p5vz-kq6m-63dd
Aliases: CVE-2018-17281 |
Multiple vulnerabilities have been found in Asterisk, the worst of which could result in a Denial of Service condition. |
Affected by 72 other vulnerabilities. Affected by 57 other vulnerabilities. |
|
VCID-phb4-xaj7-byg2
Aliases: CVE-2026-23741 |
Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, the asterisk/contrib/scripts/ast_coredumper runs as root, as noted by the NOTES tag on line 689 of the ast_coredumper file. The script will source the contents of /etc/asterisk/ast_debug_tools.conf, which resides in a folder that is writeable by the asterisk user:group. Due to the /etc/asterisk/ast_debug_tools.conf file following bash semantics and it being loaded; an attacker with write permissions may add or modify the file such that when the root ast_coredumper is run; it would source and thereby execute arbitrary bash code found in the /etc/asterisk/ast_debug_tools.conf. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-pmte-bc34-pfcv
Aliases: CVE-2023-38703 |
security update |
Affected by 12 other vulnerabilities. |
|
VCID-psbg-wv2x-w7ba
Aliases: CVE-2022-23547 |
security update |
Affected by 15 other vulnerabilities. |
|
VCID-qcqe-63ev-f7gv
Aliases: CVE-2024-42491 |
Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.24.3, 20.9.3, and 21.4.3 of Asterisk and versions 18.9-cert12 and 20.7-cert2 of certified-asterisk, if Asterisk attempts to send a SIP request to a URI whose host portion starts with `.1` or `[.1]`, and res_resolver_unbound is loaded, Asterisk will crash with a SEGV. To receive a patch, users should upgrade to one of the following versions: 18.24.3, 20.9.3, 21.4.3, certified-18.9-cert12, certified-20.7-cert2. Two workarounds are available. Disable res_resolver_unbound by setting `noload = res_resolver_unbound.so` in modules.conf, or set `rewrite_contact = yes` on all PJSIP endpoints. NOTE: This may not be appropriate for all Asterisk configurations. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-qksp-5hqu-7qad
Aliases: CVE-2019-7251 |
An Integer Signedness issue (for a return code) in the res_pjsip_sdp_rtp module in Digium Asterisk versions 15.7.1 and earlier and 16.1.1 and earlier allows remote authenticated users to crash Asterisk via a specially crafted SDP protocol violation. |
Affected by 57 other vulnerabilities. |
|
VCID-qpwr-bqps-77cc
Aliases: CVE-2012-2947 |
Multiple vulnerabilities in Asterisk might allow remote attackers to execute arbitrary code. |
Affected by 98 other vulnerabilities. |
|
VCID-qsqz-g9fv-6bgg
Aliases: CVE-2013-2264 |
Multiple vulnerabilities have been found in Asterisk, the worst of which may allow execution of arbitrary code. |
Affected by 98 other vulnerabilities. |
|
VCID-r6s6-y3q8-vydc
Aliases: CVE-2017-14099 |
Multiple vulnerabilities have been found in Asterisk, the worst of which allows remote execution of arbitrary shell commands. |
Affected by 90 other vulnerabilities. Affected by 72 other vulnerabilities. Affected by 57 other vulnerabilities. |
|
VCID-r8b9-jcqa-xyb2
Aliases: CVE-2020-35776 |
Multiple vulnerabilities have been discovered in Asterisk, the worst of which can lead to privilege escalation. |
Affected by 15 other vulnerabilities. |
|
VCID-rb5h-mvxt-7qhv
Aliases: CVE-2015-3008 |
security update |
Affected by 90 other vulnerabilities. Affected by 72 other vulnerabilities. |
|
VCID-rwug-45gf-s3bz
Aliases: CVE-2018-7284 |
security update |
Affected by 72 other vulnerabilities. Affected by 57 other vulnerabilities. |
|
VCID-s3p6-93jg-p7c3
Aliases: CVE-2014-4046 |
Multiple vulnerabilities have been discovered in Asterisk, the worst of which could allow privileged users to execute arbitrary system shell commands. |
Affected by 90 other vulnerabilities. |
|
VCID-s7qt-9z8z-y7bx
Aliases: CVE-2011-2665 |
Multiple vulnerabilities in Asterisk might allow unauthenticated remote attackers to execute arbitrary code. |
Affected by 98 other vulnerabilities. |
|
VCID-sb1c-cz2g-dycu
Aliases: CVE-2013-7100 |
Multiple vulnerabilities have been found in Asterisk, the worst of which may allow execution of arbitrary code. |
Affected by 98 other vulnerabilities. Affected by 90 other vulnerabilities. |
|
VCID-sqgd-ykvk-2qay
Aliases: CVE-2014-8416 |
Use-after-free vulnerability in the PJSIP channel driver in Asterisk Open Source 12.x before 12.7.1 and 13.x before 13.0.1, when using the res_pjsip_refer module, allows remote attackers to cause a denial of service (crash) via an in-dialog INVITE with Replaces message, which triggers the channel to be hung up. |
Affected by 72 other vulnerabilities. |
|
VCID-sw4t-1yct-ffbd
Aliases: CVE-2012-2948 |
Multiple vulnerabilities in Asterisk might allow remote attackers to execute arbitrary code. |
Affected by 98 other vulnerabilities. |
|
VCID-tqwd-ffwc-mkd1
Aliases: CVE-2022-24792 |
Multiple vulnerabilities have been found in PJSIP, the worst of which could result in arbitrary code execution. |
Affected by 15 other vulnerabilities. |
|
VCID-tyh4-14zn-63ez
Aliases: CVE-2020-28242 |
An issue was discovered in Asterisk Open Source 13.x before 13.37.1, 16.x before 16.14.1, 17.x before 17.8.1, and 18.x before 18.0.1 and Certified Asterisk before 16.8-cert5. If Asterisk is challenged on an outbound INVITE and the nonce is changed in each response, Asterisk will continually send INVITEs in a loop. This causes Asterisk to consume more and more memory since the transaction will never terminate (even if the call is hung up), ultimately leading to a restart or shutdown of Asterisk. Outbound authentication must be configured on the endpoint for this to occur. |
Affected by 15 other vulnerabilities. |
|
VCID-u4gv-ss9p-sqe9
Aliases: CVE-2017-14098 |
Multiple vulnerabilities have been found in Asterisk, the worst of which allows remote execution of arbitrary shell commands. |
Affected by 57 other vulnerabilities. |
|
VCID-u91b-9huy-43hn
Aliases: CVE-2025-47779 |
Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk, SIP requests of the type MESSAGE (RFC 3428) authentication do not get proper alignment. An authenticated attacker can spoof any user identity to send spam messages to the user with their authorization token. Abuse of this security issue allows authenticated attackers to send fake chat messages can be spoofed to appear to come from trusted entities. Even administrators who follow Security best practices and Security Considerations can be impacted. Therefore, abuse can lead to spam and enable social engineering, phishing and similar attacks. Versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk fix the issue. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-u9xx-wevm-ufdh
Aliases: CVE-2011-2529 |
Multiple vulnerabilities in Asterisk might allow unauthenticated remote attackers to execute arbitrary code. |
Affected by 98 other vulnerabilities. |
|
VCID-urhv-6gz3-u7fr
Aliases: CVE-2011-1599 |
Multiple vulnerabilities in Asterisk might allow unauthenticated remote attackers to execute arbitrary code. |
Affected by 98 other vulnerabilities. |
|
VCID-v7ev-jtsg-cqdg
Aliases: CVE-2021-46837 |
security update |
Affected by 15 other vulnerabilities. |
|
VCID-vwf4-v4ve-4yfh
Aliases: CVE-2022-39244 |
Multiple vulnerabilities have been found in PJSIP, the worst of which could result in arbitrary code execution. |
Affected by 15 other vulnerabilities. |
|
VCID-w9ce-m3x8-n3ak
Aliases: CVE-2022-24786 |
Multiple vulnerabilities have been found in PJSIP, the worst of which could result in arbitrary code execution. |
Affected by 15 other vulnerabilities. |
|
VCID-w9e8-ekah-wfg2
Aliases: CVE-2017-17850 |
Multiple vulnerabilities have been found in Asterisk, the worst of which could result in a Denial of Service condition. |
Affected by 57 other vulnerabilities. |
|
VCID-x2gp-mft6-1yhy
Aliases: CVE-2019-13161 |
An issue was discovered in Asterisk Open Source through 13.27.0, 14.x and 15.x through 15.7.2, and 16.x through 16.4.0, and Certified Asterisk through 13.21-cert3. A pointer dereference in chan_sip while handling SDP negotiation allows an attacker to crash Asterisk when handling an SDP answer to an outgoing T.38 re-invite. To exploit this vulnerability an attacker must cause the chan_sip module to send a T.38 re-invite request to them. Upon receipt, the attacker must send an SDP answer containing both a T.38 UDPTL stream and another media stream containing only a codec (which is not permitted according to the chan_sip configuration). |
Affected by 15 other vulnerabilities. |
|
VCID-xbe4-uvqu-6kf7
Aliases: CVE-2019-12827 |
Buffer overflow in res_pjsip_messaging in Digium Asterisk versions 13.21-cert3, 13.27.0, 15.7.2, 16.4.0 and earlier allows remote authenticated users to crash Asterisk by sending a specially crafted SIP MESSAGE message. |
Affected by 15 other vulnerabilities. |
|
VCID-xqg6-5cn7-4bct
Aliases: CVE-2011-4063 |
Multiple vulnerabilities in Asterisk might allow unauthenticated remote attackers to execute arbitrary code. |
Affected by 98 other vulnerabilities. |
|
VCID-xt5z-2sgq-4fc4
Aliases: CVE-2012-5977 |
Multiple vulnerabilities have been found in Asterisk, the worst of which may allow execution of arbitrary code. |
Affected by 98 other vulnerabilities. |
|
VCID-y3vu-z8tx-tubb
Aliases: CVE-2019-18976 |
An issue was discovered in res_pjsip_t38.c in Sangoma Asterisk through 13.x and Certified Asterisk through 13.21-x. If it receives a re-invite initiating T.38 faxing and has a port of 0 and no c line in the SDP, a NULL pointer dereference and crash will occur. This is different from CVE-2019-18940. |
Affected by 57 other vulnerabilities. |
|
VCID-y6sx-xqsh-wbcg
Aliases: CVE-2022-24764 |
Multiple vulnerabilities have been found in PJSIP, the worst of which could result in arbitrary code execution. |
Affected by 15 other vulnerabilities. |
|
VCID-ytty-tbs1-ffc7
Aliases: CVE-2026-23738 |
Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, user supplied/control values for Cookies and any GET variable query Parameter are directly interpolated into the HTML of the page using ast_str_append. The endpoint at GET /httpstatus is the potential vulnerable endpoint relating to asterisk/main /http.c. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-yx1m-ayfg-ryc3
Aliases: CVE-2021-43300 |
security update |
Affected by 15 other vulnerabilities. |
|
VCID-z3fq-m317-ckb8
Aliases: CVE-2022-26651 |
Multiple vulnerabilities have been discovered in Asterisk, the worst of which can lead to privilege escalation. |
Affected by 15 other vulnerabilities. |
|
VCID-zabf-adce-sqde
Aliases: CVE-2022-42705 |
Multiple vulnerabilities have been discovered in Asterisk, the worst of which can lead to privilege escalation. |
Affected by 15 other vulnerabilities. |
|
VCID-zbwp-f5me-jqhu
Aliases: CVE-2014-2286 |
Multiple buffer overflows in Asterisk might allow remote attackers to cause a Denial of Service condition. |
Affected by 90 other vulnerabilities. |
|
VCID-zgqk-kej8-qkhg
Aliases: CVE-2012-0885 |
A vulnerability in Asterisk could allow a remote attacker to cause a Denial of Service condition. |
Affected by 98 other vulnerabilities. |
|
VCID-zvwt-wp8r-1qhx
Aliases: CVE-2017-16672 |
Multiple vulnerabilities have been found in Asterisk, the worst of which could result in a Denial of Service condition. |
Affected by 57 other vulnerabilities. |
|
VCID-zxkf-88k3-3qcn
Aliases: CVE-2021-43302 |
security update |
Affected by 15 other vulnerabilities. |
|
VCID-zzpx-gwmv-sfbz
Aliases: CVE-2016-9938 |
An issue was discovered in Asterisk Open Source 11.x before 11.25.1, 13.x before 13.13.1, and 14.x before 14.2.1 and Certified Asterisk 11.x before 11.6-cert16 and 13.x before 13.8-cert4. The chan_sip channel driver has a liberal definition for whitespace when attempting to strip the content between a SIP header name and a colon character. Rather than following RFC 3261 and stripping only spaces and horizontal tabs, Asterisk treats any non-printable ASCII character as if it were whitespace. This means that headers such as Contact\x01: will be seen as a valid Contact header. This mostly does not pose a problem until Asterisk is placed in tandem with an authenticating SIP proxy. In such a case, a crafty combination of valid and invalid To headers can cause a proxy to allow an INVITE request into Asterisk without authentication since it believes the request is an in-dialog request. However, because of the bug described above, the request will look like an out-of-dialog request to Asterisk. Asterisk will then process the request as a new call. The result is that Asterisk can process calls from unvetted sources without any authentication. If you do not use a proxy for authentication, then this issue does not affect you. If your proxy is dialog-aware (meaning that the proxy keeps track of what dialogs are currently valid), then this issue does not affect you. If you use chan_pjsip instead of chan_sip, then this issue does not affect you. |
Affected by 72 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-1cad-s6nn-j7aw | embedded prototype.js JavaScript hijacking |
CVE-2007-2383
|
| VCID-6yxw-veq3-eqgd | Stack-based buffer overflow in the ast_uri_encode function in main/utils.c in Asterisk Open Source before 1.4.38.1, 1.4.39.1, 1.6.1.21, 1.6.2.15.1, 1.6.2.16.1, 1.8.1.2, 1.8.2.; and Business Edition before C.3.6.2; when running in pedantic mode allows remote authenticated users to execute arbitrary code via crafted caller ID data in vectors involving the (1) SIP channel driver, (2) URIENCODE dialplan function, or (3) AGI dialplan function. |
CVE-2011-0495
|
| VCID-7pxs-dc7h-tkbs | Multiple vulnerabilities in Asterisk might allow remote attackers to cause a Denial of Service condition, or conduct other attacks. |
CVE-2009-3727
|
| VCID-986n-21m7-fuc8 | main/acl.c in Asterisk Open Source 1.6.0.x before 1.6.0.25, 1.6.1.x before 1.6.1.17, and 1.6.2.x before 1.6.2.5 does not properly enforce remote host access controls when CIDR notation "/0" is used in permit= and deny= configuration rules, which causes an improper arithmetic shift and might allow remote attackers to bypass ACL rules and access services from unauthorized hosts. |
CVE-2010-1224
|
| VCID-c4n3-bd3z-qfbw | Multiple vulnerabilities have been found in Asterisk allowing for Denial of Service and username disclosure. |
CVE-2009-0041
|
| VCID-ennr-ek9z-a7db | The design of the dialplan functionality in Asterisk Open Source 1.2.x, 1.4.x, and 1.6.x; and Asterisk Business Edition B.x.x and C.x.x, when using the ${EXTEN} channel variable and wildcard pattern matches, allows context-dependent attackers to inject strings into the dialplan using metacharacters that are injected when the variable is expanded, as demonstrated using the Dial application to process a crafted SIP INVITE message that adds an unintended outgoing channel leg. NOTE: it could be argued that this is not a vulnerability in Asterisk, but a class of vulnerabilities that can occur in any program that uses this feature without the associated filtering functionality that is already available. |
CVE-2010-0685
|
| VCID-fdpu-1891-q3a6 | asterisk allows calls on prohibited networks |
CVE-2009-3723
|
| VCID-fzs1-dj22-7fff | Multiple vulnerabilities in Asterisk might allow remote attackers to cause a Denial of Service condition, or conduct other attacks. |
CVE-2009-2726
|
| VCID-h8nm-exgj-xybc | Multiple vulnerabilities in Asterisk might allow remote attackers to cause a Denial of Service condition, or conduct other attacks. |
CVE-2009-4055
|
| VCID-m3gv-mmcp-t7fz | Asterisk: Remote DoS via specially-crafted FaxMaxDatagram SDP packets (AST-2010-001) |
CVE-2010-0441
|
| VCID-rn9b-2scp-byf5 | asterisk: remote DoS on receipt of malformed RTP text frames |
CVE-2009-2651
|
| VCID-tekr-xkck-pkfu | Multiple vulnerabilities in Asterisk might allow remote attackers to cause a Denial of Service condition, or conduct other attacks. |
CVE-2008-7220
|
| VCID-u99q-b5ug-jyd5 | Multiple vulnerabilities have been found in Asterisk allowing for Denial of Service and username disclosure. |
CVE-2008-3903
|
| VCID-zvpn-2gds-9yc4 | Multiple vulnerabilities in Asterisk might allow remote attackers to cause a Denial of Service condition, or conduct other attacks. |
CVE-2009-2346
|