Information Exposure Affecting asterisk package, versions [,1.4.41.2)[1.6.2.0,1.6.2.18)[1.8.4.0,1.8.4.4)


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.55% (78th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-UNMANAGED-ASTERISK-2371574
  • published26 Jan 2022
  • disclosed6 Jul 2011
  • creditUnknown

Introduced: 6 Jul 2011

CVE-2011-2536  (opens in a new tab)
CWE-200  (opens in a new tab)

How to fix?

Upgrade asterisk to version 1.4.41.2, 1.6.2.18, 1.8.4.4 or higher.

Overview

Affected versions of this package are vulnerable to Information Exposure chan_sip.c in the SIP channel driver in Asterisk Open Source 1.4.x before 1.4.41.2, 1.6.2.x before 1.6.2.18.2, and 1.8.x before 1.8.4.4, and Asterisk Business Edition C.3.x before C.3.7.3, disregards the alwaysauthreject option and generates different responses for invalid SIP requests depending on whether the user account exists, which allows remote attackers to enumerate account names via a series of requests.

CVSS Base Scores

version 3.1