CVE-2011-2536

medium

Description

chan_sip.c in the SIP channel driver in Asterisk Open Source 1.4.x before 1.4.41.2, 1.6.2.x before 1.6.2.18.2, and 1.8.x before 1.8.4.4, and Asterisk Business Edition C.3.x before C.3.7.3, disregards the alwaysauthreject option and generates different responses for invalid SIP requests depending on whether the user account exists, which allows remote attackers to enumerate account names via a series of requests.

References

http://www.securitytracker.com/id?1025734

http://downloads.asterisk.org/pub/security/AST-2011-011.html

http://downloads.asterisk.org/pub/security/AST-2011-011-1.8.diff

Details

Source: Mitre, NVD

Published: 2011-07-06

Updated: 2011-09-07

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Severity: Medium