CVE-2008-2119

high

Description

Asterisk Open Source 1.0.x and 1.2.x before 1.2.29 and Business Edition A.x.x and B.x.x before B.2.5.3, when pedantic parsing (aka pedanticsipchecking) is enabled, allows remote attackers to cause a denial of service (daemon crash) via a SIP INVITE message that lacks a From header, related to invocations of the ast_uri_decode function, and improper handling of (1) an empty const string and (2) a NULL pointer.

References

https://www.exploit-db.com/exploits/5749

https://exchange.xforce.ibmcloud.com/vulnerabilities/42823

http://www.vupen.com/english/advisories/2008/1731

http://www.securitytracker.com/id?1020166

http://www.securityfocus.com/archive/1/493020/100/0/threaded

http://svn.digium.com/view/asterisk?view=rev&revision=120109

http://security.gentoo.org/glsa/glsa-200905-01.xml

http://secunia.com/advisories/34982

http://secunia.com/advisories/30517

http://downloads.digium.com/pub/security/AST-2008-008.html

http://bugs.digium.com/view.php?id=12607

Details

Source: Mitre, NVD

Published: 2008-06-04

Updated: 2018-10-11

Risk Information

CVSS v2

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P

Severity: Medium

CVSS v3

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Severity: High