VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-2ydq-8usj-73ag

Essentials
Severities (43)
References (44)
Severity details (15)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-2ydq-8usj-73ag
Aliases	CVE-2023-49786
Summary	Asterisk is an open source private branch exchange and telephony toolkit. In Asterisk prior to versions 18.20.1, 20.5.1, and 21.0.1; as well as certified-asterisk prior to 18.9-cert6; Asterisk is susceptible to a DoS due to a race condition in the hello handshake phase of the DTLS protocol when handling DTLS-SRTP for media setup. This attack can be done continuously, thus denying new DTLS-SRTP encrypted calls during the attack. Abuse of this vulnerability may lead to a massive Denial of Service on vulnerable Asterisk servers for calls that rely on DTLS-SRTP. Commit d7d7764cb07c8a1872804321302ef93bf62cba05 contains a fix, which is part of versions 18.20.1, 20.5.1, 21.0.1, amd 18.9-cert6.
Status	Published
Exploitability	0.5
Weighted Severity	6.8
Risk	3.4
Affected and Fixed Packages	Package Details

Weaknesses (2)

CWE-703	Improper Check or Handling of Exceptional Conditions
CWE-362	Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

System	Score	Found at
cvssv3.1	7.5	http://packetstormsecurity.com/files/176251/Asterisk-20.1.0-Denial-Of-Service.html
ssvc	Track	http://packetstormsecurity.com/files/176251/Asterisk-20.1.0-Denial-Of-Service.html
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2023-49786
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2023-49786
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2023-49786
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2023-49786
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2023-49786
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2023-49786
epss	0.00055	https://api.first.org/data/v1/epss?cve=CVE-2023-49786
epss	0.00055	https://api.first.org/data/v1/epss?cve=CVE-2023-49786
epss	0.00055	https://api.first.org/data/v1/epss?cve=CVE-2023-49786
epss	0.00055	https://api.first.org/data/v1/epss?cve=CVE-2023-49786
epss	0.00055	https://api.first.org/data/v1/epss?cve=CVE-2023-49786
epss	0.00055	https://api.first.org/data/v1/epss?cve=CVE-2023-49786
epss	0.00055	https://api.first.org/data/v1/epss?cve=CVE-2023-49786
epss	0.00055	https://api.first.org/data/v1/epss?cve=CVE-2023-49786
epss	0.00055	https://api.first.org/data/v1/epss?cve=CVE-2023-49786
epss	0.00055	https://api.first.org/data/v1/epss?cve=CVE-2023-49786
epss	0.00055	https://api.first.org/data/v1/epss?cve=CVE-2023-49786
epss	0.00055	https://api.first.org/data/v1/epss?cve=CVE-2023-49786
epss	0.00055	https://api.first.org/data/v1/epss?cve=CVE-2023-49786
epss	0.00055	https://api.first.org/data/v1/epss?cve=CVE-2023-49786
epss	0.00055	https://api.first.org/data/v1/epss?cve=CVE-2023-49786
epss	0.00055	https://api.first.org/data/v1/epss?cve=CVE-2023-49786
epss	0.00055	https://api.first.org/data/v1/epss?cve=CVE-2023-49786
epss	0.00055	https://api.first.org/data/v1/epss?cve=CVE-2023-49786
epss	0.00055	https://api.first.org/data/v1/epss?cve=CVE-2023-49786
epss	0.00055	https://api.first.org/data/v1/epss?cve=CVE-2023-49786
epss	0.00055	https://api.first.org/data/v1/epss?cve=CVE-2023-49786
epss	0.00055	https://api.first.org/data/v1/epss?cve=CVE-2023-49786
cvssv3.1	7.5	http://seclists.org/fulldisclosure/2023/Dec/24
ssvc	Track	http://seclists.org/fulldisclosure/2023/Dec/24
cvssv3.1	7.5	https://github.com/asterisk/asterisk/commit/d7d7764cb07c8a1872804321302ef93bf62cba05
ssvc	Track	https://github.com/asterisk/asterisk/commit/d7d7764cb07c8a1872804321302ef93bf62cba05
cvssv3.1	7.5	https://github.com/asterisk/asterisk/security/advisories/GHSA-hxj9-xwr8-w8pq
ssvc	Track	https://github.com/asterisk/asterisk/security/advisories/GHSA-hxj9-xwr8-w8pq
cvssv3.1	7.5	https://github.com/EnableSecurity/advisories/tree/master/ES2023-01-asterisk-dtls-hello-race
ssvc	Track	https://github.com/EnableSecurity/advisories/tree/master/ES2023-01-asterisk-dtls-hello-race
cvssv3.1	7.5	https://lists.debian.org/debian-lts-announce/2023/12/msg00019.html
ssvc	Track	https://lists.debian.org/debian-lts-announce/2023/12/msg00019.html
cvssv3.1	5.9	https://nvd.nist.gov/vuln/detail/CVE-2023-49786
cvssv3.1	7.5	http://www.openwall.com/lists/oss-security/2023/12/15/7
ssvc	Track	http://www.openwall.com/lists/oss-security/2023/12/15/7

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at http://packetstormsecurity.com/files/176251/Asterisk-20.1.0-Denial-Of-Service.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-08T14:19:55Z/ Found at http://packetstormsecurity.com/files/176251/Asterisk-20.1.0-Denial-Of-Service.html

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at http://seclists.org/fulldisclosure/2023/Dec/24

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-08T14:19:55Z/ Found at http://seclists.org/fulldisclosure/2023/Dec/24

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/asterisk/asterisk/commit/d7d7764cb07c8a1872804321302ef93bf62cba05

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-08T14:19:55Z/ Found at https://github.com/asterisk/asterisk/commit/d7d7764cb07c8a1872804321302ef93bf62cba05

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/asterisk/asterisk/security/advisories/GHSA-hxj9-xwr8-w8pq

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-08T14:19:55Z/ Found at https://github.com/asterisk/asterisk/security/advisories/GHSA-hxj9-xwr8-w8pq

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/EnableSecurity/advisories/tree/master/ES2023-01-asterisk-dtls-hello-race

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-08T14:19:55Z/ Found at https://github.com/EnableSecurity/advisories/tree/master/ES2023-01-asterisk-dtls-hello-race

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://lists.debian.org/debian-lts-announce/2023/12/msg00019.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-08T14:19:55Z/ Found at https://lists.debian.org/debian-lts-announce/2023/12/msg00019.html

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2023-49786

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at http://www.openwall.com/lists/oss-security/2023/12/15/7

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-08T14:19:55Z/ Found at http://www.openwall.com/lists/oss-security/2023/12/15/7

Exploit Prediction Scoring System (EPSS)

Percentile	0.12627
EPSS Score	0.00043
Published At	Sept. 16, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2025-07-31T08:33:50.390592+00:00	Alpine Linux Importer	Import	https://secdb.alpinelinux.org/v3.17/main.json	37.0.0

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2023-49786
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-37457
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38703
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-49294
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-49786
1059033		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059033
24		http://seclists.org/fulldisclosure/2023/Dec/24
7		http://www.openwall.com/lists/oss-security/2023/12/15/7
Asterisk-20.1.0-Denial-Of-Service.html		http://packetstormsecurity.com/files/176251/Asterisk-20.1.0-Denial-Of-Service.html
cpe:2.3:a:digium:asterisk::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:digium:asterisk::::::::
cpe:2.3:a:digium:asterisk:21.0.0:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:digium:asterisk:21.0.0:::::::*
cpe:2.3:a:sangoma:certified_asterisk:13.13.0:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:sangoma:certified_asterisk:13.13.0:::::::*
cpe:2.3:a:sangoma:certified_asterisk:13.13.0:cert1::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:sangoma:certified_asterisk:13.13.0:cert1::::::
cpe:2.3:a:sangoma:certified_asterisk:13.13.0:cert1-rc1::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:sangoma:certified_asterisk:13.13.0:cert1-rc1::::::
cpe:2.3:a:sangoma:certified_asterisk:13.13.0:cert1-rc2::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:sangoma:certified_asterisk:13.13.0:cert1-rc2::::::
cpe:2.3:a:sangoma:certified_asterisk:13.13.0:cert1-rc3::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:sangoma:certified_asterisk:13.13.0:cert1-rc3::::::
cpe:2.3:a:sangoma:certified_asterisk:13.13.0:cert1-rc4::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:sangoma:certified_asterisk:13.13.0:cert1-rc4::::::
cpe:2.3:a:sangoma:certified_asterisk:13.13.0:cert2::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:sangoma:certified_asterisk:13.13.0:cert2::::::
cpe:2.3:a:sangoma:certified_asterisk:13.13.0:cert3::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:sangoma:certified_asterisk:13.13.0:cert3::::::
cpe:2.3:a:sangoma:certified_asterisk:13.13.0:rc1::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:sangoma:certified_asterisk:13.13.0:rc1::::::
cpe:2.3:a:sangoma:certified_asterisk:13.13.0:rc2::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:sangoma:certified_asterisk:13.13.0:rc2::::::
cpe:2.3:a:sangoma:certified_asterisk:16.8.0:-::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:sangoma:certified_asterisk:16.8.0:-::::::
cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert1::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert1::::::
cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert10::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert10::::::
cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert11::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert11::::::
cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert12::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert12::::::
cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert2::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert2::::::
cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert3::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert3::::::
cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert4::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert4::::::
cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert5::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert5::::::
cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert6::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert6::::::
cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert7::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert7::::::
cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert8::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert8::::::
cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert9::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert9::::::
cpe:2.3:a:sangoma:certified_asterisk:18.9:cert1::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:sangoma:certified_asterisk:18.9:cert1::::::
cpe:2.3:a:sangoma:certified_asterisk:18.9:cert2::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:sangoma:certified_asterisk:18.9:cert2::::::
cpe:2.3:a:sangoma:certified_asterisk:18.9:cert3::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:sangoma:certified_asterisk:18.9:cert3::::::
cpe:2.3:a:sangoma:certified_asterisk:18.9:cert4::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:sangoma:certified_asterisk:18.9:cert4::::::
cpe:2.3:a:sangoma:certified_asterisk:18.9:cert5::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:sangoma:certified_asterisk:18.9:cert5::::::
CVE-2023-49786		https://nvd.nist.gov/vuln/detail/CVE-2023-49786
d7d7764cb07c8a1872804321302ef93bf62cba05		https://github.com/asterisk/asterisk/commit/d7d7764cb07c8a1872804321302ef93bf62cba05
ES2023-01-asterisk-dtls-hello-race		https://github.com/EnableSecurity/advisories/tree/master/ES2023-01-asterisk-dtls-hello-race
GHSA-hxj9-xwr8-w8pq		https://github.com/asterisk/asterisk/security/advisories/GHSA-hxj9-xwr8-w8pq
msg00019.html		https://lists.debian.org/debian-lts-announce/2023/12/msg00019.html