Configuration Affecting asterisk package, versions <1:1.4.19.1~dfsg-1


Severity

Recommended
0.0
medium
0
10

Based on Debian security rating.

Threat Intelligence

EPSS
2.11% (90th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-DEBIAN10-ASTERISK-428619
  • published23 Apr 2008
  • disclosed23 Apr 2008

Introduced: 23 Apr 2008

CVE-2008-1923  (opens in a new tab)
CWE-16  (opens in a new tab)

How to fix?

Upgrade Debian:10 asterisk to version 1:1.4.19.1~dfsg-1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream asterisk package and not the asterisk package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

The IAX2 channel driver (chan_iax2) in Asterisk 1.2 before revision 72630 and 1.4 before revision 65679, when configured to allow unauthenticated calls, sends "early audio" to an unverified source IP address of a NEW message, which allows remote attackers to cause a denial of service (traffic amplification) via a spoofed NEW message.

CVSS Scores

version 3.1