Search for packages
| purl | pkg:deb/debian/asterisk@1:16.2.1~dfsg-1%2Bdeb10u2 |
| Next non-vulnerable version | 1:22.9.0+dfsg+~cs6.16.60671434-1 |
| Latest non-vulnerable version | 1:22.9.0+dfsg+~cs6.16.60671434-1 |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1qxc-4xk5-2feu
Aliases: CVE-2026-23740 |
Asterisk: Asterisk: Arbitrary code execution and file overwrite as root via insecure ast_coredumper file handling |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-2qjc-yspn-xydj
Aliases: CVE-2025-47780 |
Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk, trying to disallow shell commands to be run via the Asterisk command line interface (CLI) by configuring `cli_permissions.conf` (e.g. with the config line `deny=!*`) does not work which could lead to a security risk. If an administrator running an Asterisk instance relies on the `cli_permissions.conf` file to work and expects it to deny all attempts to execute shell commands, then this could lead to a security vulnerability. Versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk fix the issue. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-32hs-eqw2-1kf2
Aliases: CVE-2019-18790 |
An issue was discovered in channels/chan_sip.c in Sangoma Asterisk 13.x before 13.29.2, 16.x before 16.6.2, and 17.x before 17.0.1, and Certified Asterisk 13.21 before cert5. A SIP request can be sent to Asterisk that can change a SIP peer's IP address. A REGISTER does not need to occur, and calls can be hijacked as a result. The only thing that needs to be known is the peer's name; authentication details such as passwords do not need to be known. This vulnerability is only exploitable when the nat option is set to the default, or auto_force_rport. |
Affected by 15 other vulnerabilities. |
|
VCID-34fv-tv5a-tkgw
Aliases: CVE-2022-23537 |
security update |
Affected by 15 other vulnerabilities. |
|
VCID-43ff-97jw-hkce
Aliases: CVE-2025-1131 |
Multiple vulnerabilities have been discovered in Asterisk, the worst of which can lead to arbitrary code execution. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-48pt-6j6q-jbcn
Aliases: CVE-2022-23608 |
Multiple vulnerabilities have been found in PJSIP, the worst of which could result in arbitrary code execution. |
Affected by 15 other vulnerabilities. |
|
VCID-55vv-7jsj-xqeh
Aliases: CVE-2023-49294 |
Multiple vulnerabilities have been discovered in Asterisk, the worst of which can lead to privilege escalation. |
Affected by 12 other vulnerabilities. |
|
VCID-5yue-52xt-ryhw
Aliases: CVE-2019-18610 |
An issue was discovered in manager.c in Sangoma Asterisk through 13.x, 16.x, 17.x and Certified Asterisk 13.21 through 13.21-cert4. A remote authenticated Asterisk Manager Interface (AMI) user without system authorization could use a specially crafted Originate AMI request to execute arbitrary system commands. |
Affected by 15 other vulnerabilities. |
|
VCID-63fe-saga-13ct
Aliases: CVE-2025-54995 |
Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 18.26.4 and 18.9-cert17, RTP UDP ports and internal resources can leak due to a lack of session termination. This could result in leaks and resource exhaustion. This issue has been patched in versions 18.26.4 and 18.9-cert17. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-6rhm-xrwe-x7af
Aliases: CVE-2021-26717 |
Multiple vulnerabilities have been discovered in Asterisk, the worst of which can lead to privilege escalation. |
Affected by 15 other vulnerabilities. |
|
VCID-7kus-4n4f-myd1
Aliases: CVE-2022-26498 |
Multiple vulnerabilities have been discovered in Asterisk, the worst of which can lead to privilege escalation. |
Affected by 15 other vulnerabilities. |
|
VCID-7m8s-6ydk-gbgr
Aliases: CVE-2021-37706 |
Multiple vulnerabilities have been found in PJSIP, the worst of which could result in arbitrary code execution. |
Affected by 15 other vulnerabilities. |
|
VCID-8kjy-xtm2-bqan
Aliases: CVE-2026-23739 |
Asterisk: Asterisk: Local file disclosure via unsafe XML parsing |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-8pdp-epea-juhj
Aliases: CVE-2022-26499 |
Multiple vulnerabilities have been discovered in Asterisk, the worst of which can lead to privilege escalation. |
Affected by 15 other vulnerabilities. |
|
VCID-8sys-3sj7-c3h6
Aliases: CVE-2022-21722 |
Multiple vulnerabilities have been found in PJSIP, the worst of which could result in arbitrary code execution. |
Affected by 15 other vulnerabilities. |
|
VCID-8yav-jpp1-rfbe
Aliases: CVE-2021-43299 |
security update |
Affected by 15 other vulnerabilities. |
|
VCID-917e-7kp2-y3hw
Aliases: CVE-2019-15297 |
res_pjsip_t38 in Sangoma Asterisk 15.x before 15.7.4 and 16.x before 16.5.1 allows an attacker to trigger a crash by sending a declined stream in a response to a T.38 re-invite initiated by Asterisk. The crash occurs because of a NULL session media object dereference. |
Affected by 15 other vulnerabilities. |
|
VCID-9at6-bgzv-gue3
Aliases: CVE-2022-39269 |
Multiple vulnerabilities have been found in PJSIP, the worst of which could result in arbitrary code execution. |
Affected by 15 other vulnerabilities. |
|
VCID-9f9j-z7y7-sffy
Aliases: CVE-2021-43845 |
Multiple vulnerabilities have been found in PJSIP, the worst of which could result in arbitrary code execution. |
Affected by 15 other vulnerabilities. |
|
VCID-9u4p-wdky-a3h1
Aliases: CVE-2024-42365 |
Asterisk is an open source private branch exchange (PBX) and telephony toolkit. Prior to asterisk versions 18.24.2, 20.9.2, and 21.4.2 and certified-asterisk versions 18.9-cert11 and 20.7-cert2, an AMI user with `write=originate` may change all configuration files in the `/etc/asterisk/` directory. This occurs because they are able to curl remote files and write them to disk, but are also able to append to existing files using the `FILE` function inside the `SET` application. This issue may result in privilege escalation, remote code execution and/or blind server-side request forgery with arbitrary protocol. Asterisk versions 18.24.2, 20.9.2, and 21.4.2 and certified-asterisk versions 18.9-cert11 and 20.7-cert2 contain a fix for this issue. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-ap3n-99gn-aucs
Aliases: CVE-2023-27585 |
A vulnerability has been discovered in PJSIP, which could lead to arbitrary code execution. |
Affected by 15 other vulnerabilities. |
|
VCID-b4z5-5hbq-5ka8
Aliases: CVE-2022-42706 |
Multiple vulnerabilities have been discovered in Asterisk, the worst of which can lead to privilege escalation. |
Affected by 15 other vulnerabilities. |
|
VCID-bk8r-brkr-bqc6
Aliases: CVE-2023-49786 |
Multiple vulnerabilities have been discovered in Asterisk, the worst of which can lead to privilege escalation. |
Affected by 12 other vulnerabilities. |
|
VCID-bknu-abgc-bugw
Aliases: CVE-2023-37457 |
Multiple vulnerabilities have been discovered in Asterisk, the worst of which can lead to privilege escalation. |
Affected by 12 other vulnerabilities. |
|
VCID-byqv-c5jp-6ybg
Aliases: CVE-2021-43301 |
security update |
Affected by 15 other vulnerabilities. |
|
VCID-cupt-538a-z3fp
Aliases: CVE-2022-37325 |
Multiple vulnerabilities have been discovered in Asterisk, the worst of which can lead to privilege escalation. |
Affected by 15 other vulnerabilities. |
|
VCID-ddpb-zwva-rfc5
Aliases: CVE-2022-21723 |
Multiple vulnerabilities have been found in PJSIP, the worst of which could result in arbitrary code execution. |
Affected by 15 other vulnerabilities. |
|
VCID-epzp-dpmr-33df
Aliases: CVE-2021-32686 |
Multiple vulnerabilities have been found in PJSIP, the worst of which could result in arbitrary code execution. |
Affected by 15 other vulnerabilities. |
|
VCID-f5qc-tsbr-1yap
Aliases: CVE-2021-43804 |
Multiple vulnerabilities have been found in PJSIP, the worst of which could result in arbitrary code execution. |
Affected by 15 other vulnerabilities. |
|
VCID-fjzf-5rtw-rqfj
Aliases: CVE-2021-26906 |
Multiple vulnerabilities have been discovered in Asterisk, the worst of which can lead to privilege escalation. |
Affected by 15 other vulnerabilities. |
|
VCID-gkcp-1zz6-tfb5
Aliases: CVE-2020-28327 |
A res_pjsip_session crash was discovered in Asterisk Open Source 13.x before 13.37.1, 16.x before 16.14.1, 17.x before 17.8.1, and 18.x before 18.0.1. and Certified Asterisk before 16.8-cert5. Upon receiving a new SIP Invite, Asterisk did not return the created dialog locked or referenced. This caused a gap between the creation of the dialog object, and its next use by the thread that created it. Depending on some off-nominal circumstances and timing, it was possible for another thread to free said dialog in this gap. Asterisk could then crash when the dialog object, or any of its dependent objects, were dereferenced or accessed next by the initial-creation thread. Note, however, that this crash can only occur when using a connection-oriented protocol (e.g., TCP or TLS, but not UDP) for SIP transport. Also, the remote client must be authenticated, or Asterisk must be configured for anonymous calling. |
Affected by 15 other vulnerabilities. |
|
VCID-gy3u-c6dc-sbbn
Aliases: CVE-2024-53566 |
An issue in the action_listcategories() function of Sangoma Asterisk v22/22.0.0/22.0.0-rc1/22.0.0-rc2/22.0.0-pre1 allows attackers to execute a path traversal. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-h193-vjhb-j3a3
Aliases: CVE-2021-32558 |
Multiple vulnerabilities have been discovered in Asterisk, the worst of which can lead to privilege escalation. |
Affected by 15 other vulnerabilities. |
|
VCID-hj93-7z1r-vkfk
Aliases: CVE-2022-24763 |
Multiple vulnerabilities have been found in PJSIP, the worst of which could result in arbitrary code execution. |
Affected by 15 other vulnerabilities. |
|
VCID-huqt-1fv6-67cz
Aliases: CVE-2020-35652 |
An issue was discovered in res_pjsip_diversion.c in Sangoma Asterisk before 13.38.0, 14.x through 16.x before 16.15.0, 17.x before 17.9.0, and 18.x before 18.1.0. A crash can occur when a SIP message is received with a History-Info header that contains a tel-uri, or when a SIP 181 response is received that contains a tel-uri in the Diversion header. |
Affected by 15 other vulnerabilities. |
|
VCID-n6mj-v1nc-hke9
Aliases: CVE-2022-24793 |
Multiple vulnerabilities have been found in PJSIP, the worst of which could result in arbitrary code execution. |
Affected by 15 other vulnerabilities. |
|
VCID-nf5d-nejq-mkd9
Aliases: CVE-2021-43303 |
security update |
Affected by 15 other vulnerabilities. |
|
VCID-ngds-k5mh-t3ae
Aliases: CVE-2022-31031 |
Multiple vulnerabilities have been found in PJSIP, the worst of which could result in arbitrary code execution. |
Affected by 15 other vulnerabilities. |
|
VCID-phb4-xaj7-byg2
Aliases: CVE-2026-23741 |
Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, the asterisk/contrib/scripts/ast_coredumper runs as root, as noted by the NOTES tag on line 689 of the ast_coredumper file. The script will source the contents of /etc/asterisk/ast_debug_tools.conf, which resides in a folder that is writeable by the asterisk user:group. Due to the /etc/asterisk/ast_debug_tools.conf file following bash semantics and it being loaded; an attacker with write permissions may add or modify the file such that when the root ast_coredumper is run; it would source and thereby execute arbitrary bash code found in the /etc/asterisk/ast_debug_tools.conf. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-pmte-bc34-pfcv
Aliases: CVE-2023-38703 |
security update |
Affected by 12 other vulnerabilities. |
|
VCID-psbg-wv2x-w7ba
Aliases: CVE-2022-23547 |
security update |
Affected by 15 other vulnerabilities. |
|
VCID-qcqe-63ev-f7gv
Aliases: CVE-2024-42491 |
Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.24.3, 20.9.3, and 21.4.3 of Asterisk and versions 18.9-cert12 and 20.7-cert2 of certified-asterisk, if Asterisk attempts to send a SIP request to a URI whose host portion starts with `.1` or `[.1]`, and res_resolver_unbound is loaded, Asterisk will crash with a SEGV. To receive a patch, users should upgrade to one of the following versions: 18.24.3, 20.9.3, 21.4.3, certified-18.9-cert12, certified-20.7-cert2. Two workarounds are available. Disable res_resolver_unbound by setting `noload = res_resolver_unbound.so` in modules.conf, or set `rewrite_contact = yes` on all PJSIP endpoints. NOTE: This may not be appropriate for all Asterisk configurations. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-r8b9-jcqa-xyb2
Aliases: CVE-2020-35776 |
Multiple vulnerabilities have been discovered in Asterisk, the worst of which can lead to privilege escalation. |
Affected by 15 other vulnerabilities. |
|
VCID-tqwd-ffwc-mkd1
Aliases: CVE-2022-24792 |
Multiple vulnerabilities have been found in PJSIP, the worst of which could result in arbitrary code execution. |
Affected by 15 other vulnerabilities. |
|
VCID-tyh4-14zn-63ez
Aliases: CVE-2020-28242 |
An issue was discovered in Asterisk Open Source 13.x before 13.37.1, 16.x before 16.14.1, 17.x before 17.8.1, and 18.x before 18.0.1 and Certified Asterisk before 16.8-cert5. If Asterisk is challenged on an outbound INVITE and the nonce is changed in each response, Asterisk will continually send INVITEs in a loop. This causes Asterisk to consume more and more memory since the transaction will never terminate (even if the call is hung up), ultimately leading to a restart or shutdown of Asterisk. Outbound authentication must be configured on the endpoint for this to occur. |
Affected by 15 other vulnerabilities. |
|
VCID-u91b-9huy-43hn
Aliases: CVE-2025-47779 |
Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk, SIP requests of the type MESSAGE (RFC 3428) authentication do not get proper alignment. An authenticated attacker can spoof any user identity to send spam messages to the user with their authorization token. Abuse of this security issue allows authenticated attackers to send fake chat messages can be spoofed to appear to come from trusted entities. Even administrators who follow Security best practices and Security Considerations can be impacted. Therefore, abuse can lead to spam and enable social engineering, phishing and similar attacks. Versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk fix the issue. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-v7ev-jtsg-cqdg
Aliases: CVE-2021-46837 |
security update |
Affected by 15 other vulnerabilities. |
|
VCID-vwf4-v4ve-4yfh
Aliases: CVE-2022-39244 |
Multiple vulnerabilities have been found in PJSIP, the worst of which could result in arbitrary code execution. |
Affected by 15 other vulnerabilities. |
|
VCID-w9ce-m3x8-n3ak
Aliases: CVE-2022-24786 |
Multiple vulnerabilities have been found in PJSIP, the worst of which could result in arbitrary code execution. |
Affected by 15 other vulnerabilities. |
|
VCID-x2gp-mft6-1yhy
Aliases: CVE-2019-13161 |
An issue was discovered in Asterisk Open Source through 13.27.0, 14.x and 15.x through 15.7.2, and 16.x through 16.4.0, and Certified Asterisk through 13.21-cert3. A pointer dereference in chan_sip while handling SDP negotiation allows an attacker to crash Asterisk when handling an SDP answer to an outgoing T.38 re-invite. To exploit this vulnerability an attacker must cause the chan_sip module to send a T.38 re-invite request to them. Upon receipt, the attacker must send an SDP answer containing both a T.38 UDPTL stream and another media stream containing only a codec (which is not permitted according to the chan_sip configuration). |
Affected by 15 other vulnerabilities. |
|
VCID-xbe4-uvqu-6kf7
Aliases: CVE-2019-12827 |
Buffer overflow in res_pjsip_messaging in Digium Asterisk versions 13.21-cert3, 13.27.0, 15.7.2, 16.4.0 and earlier allows remote authenticated users to crash Asterisk by sending a specially crafted SIP MESSAGE message. |
Affected by 15 other vulnerabilities. |
|
VCID-y6sx-xqsh-wbcg
Aliases: CVE-2022-24764 |
Multiple vulnerabilities have been found in PJSIP, the worst of which could result in arbitrary code execution. |
Affected by 15 other vulnerabilities. |
|
VCID-ytty-tbs1-ffc7
Aliases: CVE-2026-23738 |
Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, user supplied/control values for Cookies and any GET variable query Parameter are directly interpolated into the HTML of the page using ast_str_append. The endpoint at GET /httpstatus is the potential vulnerable endpoint relating to asterisk/main /http.c. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-yx1m-ayfg-ryc3
Aliases: CVE-2021-43300 |
security update |
Affected by 15 other vulnerabilities. |
|
VCID-z3fq-m317-ckb8
Aliases: CVE-2022-26651 |
Multiple vulnerabilities have been discovered in Asterisk, the worst of which can lead to privilege escalation. |
Affected by 15 other vulnerabilities. |
|
VCID-zabf-adce-sqde
Aliases: CVE-2022-42705 |
Multiple vulnerabilities have been discovered in Asterisk, the worst of which can lead to privilege escalation. |
Affected by 15 other vulnerabilities. |
|
VCID-zxkf-88k3-3qcn
Aliases: CVE-2021-43302 |
security update |
Affected by 15 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-7ner-5xz7-93gz | Multiple vulnerabilities have been found in Asterisk, the worst of which could result in a Denial of Service condition. |
CVE-2018-12227
|
| VCID-8qy8-gk53-eufc | Multiple vulnerabilities have been found in Asterisk, the worst of which could result in a Denial of Service condition. |
CVE-2017-16671
|
| VCID-a2n5-xpy5-gyfh | Multiple vulnerabilities have been found in Asterisk, the worst of which allows remote execution of arbitrary shell commands. |
CVE-2017-14100
|
| VCID-dpra-jbea-4fcy | Multiple vulnerabilities have been found in Asterisk, the worst of which allows remote execution of arbitrary shell commands. |
CVE-2017-14603
|
| VCID-eund-5mfa-9kbn | security update |
CVE-2017-17090
|
| VCID-fndq-j9d2-afed | A Remote Crash issue was discovered in Asterisk Open Source 13.x before 13.18.4, 14.x before 14.7.4, and 15.x before 15.1.4 and Certified Asterisk before 13.13-cert9. Certain compound RTCP packets cause a crash in the RTCP Stack. |
CVE-2017-17664
|
| VCID-ggu9-8qd1-4ffx | security update |
CVE-2018-7286
|
| VCID-p5vz-kq6m-63dd | Multiple vulnerabilities have been found in Asterisk, the worst of which could result in a Denial of Service condition. |
CVE-2018-17281
|
| VCID-qksp-5hqu-7qad | An Integer Signedness issue (for a return code) in the res_pjsip_sdp_rtp module in Digium Asterisk versions 15.7.1 and earlier and 16.1.1 and earlier allows remote authenticated users to crash Asterisk via a specially crafted SDP protocol violation. |
CVE-2019-7251
|
| VCID-r6s6-y3q8-vydc | Multiple vulnerabilities have been found in Asterisk, the worst of which allows remote execution of arbitrary shell commands. |
CVE-2017-14099
|
| VCID-rwug-45gf-s3bz | security update |
CVE-2018-7284
|
| VCID-u4gv-ss9p-sqe9 | Multiple vulnerabilities have been found in Asterisk, the worst of which allows remote execution of arbitrary shell commands. |
CVE-2017-14098
|
| VCID-w9e8-ekah-wfg2 | Multiple vulnerabilities have been found in Asterisk, the worst of which could result in a Denial of Service condition. |
CVE-2017-17850
|
| VCID-y3vu-z8tx-tubb | An issue was discovered in res_pjsip_t38.c in Sangoma Asterisk through 13.x and Certified Asterisk through 13.21-x. If it receives a re-invite initiating T.38 faxing and has a port of 0 and no c line in the SDP, a NULL pointer dereference and crash will occur. This is different from CVE-2019-18940. |
CVE-2019-18976
|
| VCID-zvwt-wp8r-1qhx | Multiple vulnerabilities have been found in Asterisk, the worst of which could result in a Denial of Service condition. |
CVE-2017-16672
|