This script is Copyright (C) 2015-2016 Tenable Network Security, Inc.
A telephony application running on the remote host is affected by an
HTTP request injection vulnerability.
According to its SIP banner, the version of Asterisk running on the
remote host is potentially affected by an HTTP request injection
vulnerability due to a flaw within the included libcURL library in the
'parseurlandfillconn' function when handling line feeds and carriage
returns. A remote attacker, using a specially crafted request, could
exploit this to inject unauthorized HTTP requests containing malicious
data or request headers.
Note that Nessus has not tested for this issue but has instead relied
only on the application's self-reported version number.
See also :
Upgrade to Asterisk 18.104.22.168 / 11.15.1 / 12.8.1 / 13.1.1 /
1.8.28-cert4 / 11.6-cert10, or apply the appropriate patch listed in
the Asterisk advisory.
Risk factor :
Medium / CVSS Base Score : 4.3
CVSS Temporal Score : 3.7
Public Exploit Available : false