Lookup for vulnerable packages by Package URL.
| Purl | pkg:deb/debian/asterisk@1:13.13.1~dfsg-1?distro=sid |
|---|
| Type | deb |
|---|
| Namespace | debian |
|---|
| Name | asterisk |
|---|
| Version | 1:13.13.1~dfsg-1 |
|---|
| Qualifiers |
|
|---|
| Subpath | |
|---|
| Is_vulnerable | false |
|---|
| Next_non_vulnerable_version | 1:13.14.1~dfsg-1 |
|---|
| Latest_non_vulnerable_version | 1:22.9.0+dfsg+~cs6.16.60671434-1 |
|---|
| Affected_by_vulnerabilities |
|
|---|
| Fixing_vulnerabilities |
| 0 |
| url |
VCID-zzpx-gwmv-sfbz |
| vulnerability_id |
VCID-zzpx-gwmv-sfbz |
| summary |
An issue was discovered in Asterisk Open Source 11.x before 11.25.1, 13.x before 13.13.1, and 14.x before 14.2.1 and Certified Asterisk 11.x before 11.6-cert16 and 13.x before 13.8-cert4. The chan_sip channel driver has a liberal definition for whitespace when attempting to strip the content between a SIP header name and a colon character. Rather than following RFC 3261 and stripping only spaces and horizontal tabs, Asterisk treats any non-printable ASCII character as if it were whitespace. This means that headers such as Contact\x01: will be seen as a valid Contact header. This mostly does not pose a problem until Asterisk is placed in tandem with an authenticating SIP proxy. In such a case, a crafty combination of valid and invalid To headers can cause a proxy to allow an INVITE request into Asterisk without authentication since it believes the request is an in-dialog request. However, because of the bug described above, the request will look like an out-of-dialog request to Asterisk. Asterisk will then process the request as a new call. The result is that Asterisk can process calls from unvetted sources without any authentication. If you do not use a proxy for authentication, then this issue does not affect you. If your proxy is dialog-aware (meaning that the proxy keeps track of what dialogs are currently valid), then this issue does not affect you. If you use chan_pjsip instead of chan_sip, then this issue does not affect you. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2016-9938 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.01419 |
| scoring_system |
epss |
| scoring_elements |
0.80524 |
| published_at |
2026-04-01T12:55:00Z |
|
| 1 |
| value |
0.01419 |
| scoring_system |
epss |
| scoring_elements |
0.80531 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.01419 |
| scoring_system |
epss |
| scoring_elements |
0.80553 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.01419 |
| scoring_system |
epss |
| scoring_elements |
0.80545 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.01419 |
| scoring_system |
epss |
| scoring_elements |
0.80574 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.01419 |
| scoring_system |
epss |
| scoring_elements |
0.80584 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.01419 |
| scoring_system |
epss |
| scoring_elements |
0.80601 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.01419 |
| scoring_system |
epss |
| scoring_elements |
0.80587 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.01419 |
| scoring_system |
epss |
| scoring_elements |
0.80579 |
| published_at |
2026-04-13T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2016-9938 |
|
| 1 |
|
| 2 |
|
|
| fixed_packages |
|
| aliases |
CVE-2016-9938
|
| risk_score |
null |
| exploitability |
0.5 |
| weighted_severity |
0.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-zzpx-gwmv-sfbz |
|
|
|---|
| Risk_score | null |
|---|
| Resource_url | http://public2.vulnerablecode.io/packages/pkg:deb/debian/asterisk@1:13.13.1~dfsg-1%3Fdistro=sid |
|---|