Out-of-bounds Write Affecting asterisk package, versions [,c.3.6.2)[1.2.0,1.2.40][1.4.0,1.4.38.1)[1.4.39,1.4.39.1)[1.6.1,1.6.1.21)[1.6.2,1.6.2.15.1)[1.6.2.16,1.6.2.16.1)[1.8.0,1.8.1.2)[1.8.2,1.8.2.2)


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
19.5% (97th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-UNMANAGED-ASTERISK-2371565
  • published26 Jan 2022
  • disclosed20 Jan 2011
  • creditUnknown

Introduced: 20 Jan 2011

CVE-2011-0495  (opens in a new tab)
CWE-787  (opens in a new tab)

How to fix?

Upgrade asterisk to version c.3.6.2, 1.4.38.1, 1.4.39.1, 1.6.1.21, 1.6.2.15.1, 1.6.2.16.1, 1.8.1.2, 1.8.2.2 or higher.

Overview

Affected versions of this package are vulnerable to Out-of-bounds Write. Stack-based buffer overflow in the ast_uri_encode function in main/utils.c in Asterisk Open Source before 1.4.38.1, 1.4.39.1, 1.6.1.21, 1.6.2.15.1, 1.6.2.16.1, 1.8.1.2, 1.8.2.; and Business Edition before C.3.6.2; when running in pedantic mode allows remote authenticated users to execute arbitrary code via crafted caller ID data in vectors involving the (1) SIP channel driver, (2) URIENCODE dialplan function, or (3) AGI dialplan function.

CVSS Base Scores

version 3.1