cvelistv5 - cve-2022-37325

cve-2022-37325

Vulnerability from cvelistv5

Published

2022-12-05 00:00

Modified

2025-04-24 14:38

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

In Sangoma Asterisk through 16.28.0, 17.x and 18.x through 18.14.0, and 19.x through 19.6.0, an incoming Setup message to addons/ooh323c/src/ooq931.c with a malformed Calling or Called Party IE can cause a crash.

References

URL	Tags
cve@mitre.org	https://downloads.asterisk.org/pub/security/AST-2022-007.html	Mitigation, Patch, Vendor Advisory
cve@mitre.org	https://lists.debian.org/debian-lts-announce/2023/02/msg00029.html
cve@mitre.org	https://www.debian.org/security/2023/dsa-5358
af854a3a-2127-422b-91ae-364da2661108	https://downloads.asterisk.org/pub/security/AST-2022-007.html	Mitigation, Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2023/02/msg00029.html
af854a3a-2127-422b-91ae-364da2661108	https://www.debian.org/security/2023/dsa-5358

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-03T10:29:20.654Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://downloads.asterisk.org/pub/security/AST-2022-007.html",
               },
               {
                  name: "[debian-lts-announce] 20230222 [SECURITY] [DLA 3335-1] asterisk security update",
                  tags: [
                     "mailing-list",
                     "x_transferred",
                  ],
                  url: "https://lists.debian.org/debian-lts-announce/2023/02/msg00029.html",
               },
               {
                  name: "DSA-5358",
                  tags: [
                     "vendor-advisory",
                     "x_transferred",
                  ],
                  url: "https://www.debian.org/security/2023/dsa-5358",
               },
            ],
            title: "CVE Program Container",
         },
         {
            metrics: [
               {
                  cvssV3_1: {
                     attackComplexity: "LOW",
                     attackVector: "NETWORK",
                     availabilityImpact: "HIGH",
                     baseScore: 7.5,
                     baseSeverity: "HIGH",
                     confidentialityImpact: "NONE",
                     integrityImpact: "NONE",
                     privilegesRequired: "NONE",
                     scope: "UNCHANGED",
                     userInteraction: "NONE",
                     vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                     version: "3.1",
                  },
               },
               {
                  other: {
                     content: {
                        id: "CVE-2022-37325",
                        options: [
                           {
                              Exploitation: "none",
                           },
                           {
                              Automatable: "yes",
                           },
                           {
                              "Technical Impact": "partial",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2025-04-24T14:38:25.352159Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            problemTypes: [
               {
                  descriptions: [
                     {
                        cweId: "CWE-787",
                        description: "CWE-787 Out-of-bounds Write",
                        lang: "en",
                        type: "CWE",
                     },
                  ],
               },
            ],
            providerMetadata: {
               dateUpdated: "2025-04-24T14:38:48.415Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "In Sangoma Asterisk through 16.28.0, 17.x and 18.x through 18.14.0, and 19.x through 19.6.0, an incoming Setup message to addons/ooh323c/src/ooq931.c with a malformed Calling or Called Party IE can cause a crash.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2023-02-23T00:00:00.000Z",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               url: "https://downloads.asterisk.org/pub/security/AST-2022-007.html",
            },
            {
               name: "[debian-lts-announce] 20230222 [SECURITY] [DLA 3335-1] asterisk security update",
               tags: [
                  "mailing-list",
               ],
               url: "https://lists.debian.org/debian-lts-announce/2023/02/msg00029.html",
            },
            {
               name: "DSA-5358",
               tags: [
                  "vendor-advisory",
               ],
               url: "https://www.debian.org/security/2023/dsa-5358",
            },
         ],
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2022-37325",
      datePublished: "2022-12-05T00:00:00.000Z",
      dateReserved: "2022-08-01T00:00:00.000Z",
      dateUpdated: "2025-04-24T14:38:48.415Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
   "vulnerability-lookup:meta": {
      nvd: "{\"cve\":{\"id\":\"CVE-2022-37325\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2022-12-05T21:15:10.073\",\"lastModified\":\"2025-04-24T15:15:47.787\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In Sangoma Asterisk through 16.28.0, 17.x and 18.x through 18.14.0, and 19.x through 19.6.0, an incoming Setup message to addons/ooh323c/src/ooq931.c with a malformed Calling or Called Party IE can cause a crash.\"},{\"lang\":\"es\",\"value\":\"En Sangoma Asterisk hasta 16.28.0, 17.x y 18.x hasta 18.14.0, y 19.x hasta 19.6.0, un mensaje de configuración entrante a addons/ooh323c/src/ooq931.c con una persona que llama o una persona llamada con formato incorrecto IE puede provocar un bloqueo.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-787\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-787\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"16.0.0\",\"versionEndExcluding\":\"16.29.1\",\"matchCriteriaId\":\"3632620E-8A6D-4D65-BED9-80C0E7CEA8DD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"18.0.0\",\"versionEndExcluding\":\"18.15.1\",\"matchCriteriaId\":\"F944B1A0-EE6E-4FA3-905D-F37AD20D567B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"19.0.0\",\"versionEndExcluding\":\"19.7.1\",\"matchCriteriaId\":\"A1A640E6-6378-4FA4-98B5-C32B5A937F7B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sangoma:asterisk:20.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"ADB799D3-B6BE-468C-8D3E-B087ED287B24\"}]}]}],\"references\":[{\"url\":\"https://downloads.asterisk.org/pub/security/AST-2022-007.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mitigation\",\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2023/02/msg00029.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://www.debian.org/security/2023/dsa-5358\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://downloads.asterisk.org/pub/security/AST-2022-007.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mitigation\",\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2023/02/msg00029.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.debian.org/security/2023/dsa-5358\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
      vulnrichment: {
         containers: "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://downloads.asterisk.org/pub/security/AST-2022-007.html\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2023/02/msg00029.html\", \"name\": \"[debian-lts-announce] 20230222 [SECURITY] [DLA 3335-1] asterisk security update\", \"tags\": [\"mailing-list\", \"x_transferred\"]}, {\"url\": \"https://www.debian.org/security/2023/dsa-5358\", \"name\": \"DSA-5358\", \"tags\": [\"vendor-advisory\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T10:29:20.654Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-37325\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-24T14:38:25.352159Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-787\", \"description\": \"CWE-787 Out-of-bounds Write\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-24T14:38:44.181Z\"}}], \"cna\": {\"affected\": [{\"vendor\": \"n/a\", \"product\": \"n/a\", \"versions\": [{\"status\": \"affected\", \"version\": \"n/a\"}]}], \"references\": [{\"url\": \"https://downloads.asterisk.org/pub/security/AST-2022-007.html\"}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2023/02/msg00029.html\", \"name\": \"[debian-lts-announce] 20230222 [SECURITY] [DLA 3335-1] asterisk security update\", \"tags\": [\"mailing-list\"]}, {\"url\": \"https://www.debian.org/security/2023/dsa-5358\", \"name\": \"DSA-5358\", \"tags\": [\"vendor-advisory\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"In Sangoma Asterisk through 16.28.0, 17.x and 18.x through 18.14.0, and 19.x through 19.6.0, an incoming Setup message to addons/ooh323c/src/ooq931.c with a malformed Calling or Called Party IE can cause a crash.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"text\", \"description\": \"n/a\"}]}], \"providerMetadata\": {\"orgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"shortName\": \"mitre\", \"dateUpdated\": \"2023-02-23T00:00:00.000Z\"}}}",
         cveMetadata: "{\"cveId\": \"CVE-2022-37325\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-24T14:38:48.415Z\", \"dateReserved\": \"2022-08-01T00:00:00.000Z\", \"assignerOrgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"datePublished\": \"2022-12-05T00:00:00.000Z\", \"assignerShortName\": \"mitre\"}",
         dataType: "CVE_RECORD",
         dataVersion: "5.1",
      },
   },
}

WID-SEC-W-2022-2218

Vulnerability from csaf_certbund

Published

2022-12-01 23:00

Modified

2024-12-08 23:00

Summary

Asterisk: Mehrere Schwachstellen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Asterisk ist eine komplette Open Source Multiprotokoll Telefonanlage (PBX) auf Softwarebasis.

Angriff

Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Asterisk ausnutzen, um einen Denial of Service Angriff durchzuführen oder Informationen offenzulegen.

Betroffene Betriebssysteme

- Linux - Sonstiges - UNIX - Windows

JSON

To clipboard

{
   document: {
      aggregate_severity: {
         text: "mittel",
      },
      category: "csaf_base",
      csaf_version: "2.0",
      distribution: {
         tlp: {
            label: "WHITE",
            url: "https://www.first.org/tlp/",
         },
      },
      lang: "de-DE",
      notes: [
         {
            category: "legal_disclaimer",
            text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.",
         },
         {
            category: "description",
            text: "Asterisk ist eine komplette Open Source Multiprotokoll Telefonanlage (PBX) auf Softwarebasis.",
            title: "Produktbeschreibung",
         },
         {
            category: "summary",
            text: "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Asterisk ausnutzen, um einen Denial of Service Angriff durchzuführen oder Informationen offenzulegen.",
            title: "Angriff",
         },
         {
            category: "general",
            text: "- Linux\n- Sonstiges\n- UNIX\n- Windows",
            title: "Betroffene Betriebssysteme",
         },
      ],
      publisher: {
         category: "other",
         contact_details: "csaf-provider@cert-bund.de",
         name: "Bundesamt für Sicherheit in der Informationstechnik",
         namespace: "https://www.bsi.bund.de",
      },
      references: [
         {
            category: "self",
            summary: "WID-SEC-W-2022-2218 - CSAF Version",
            url: "https://wid.cert-bund.de/.well-known/csaf/white/2022/wid-sec-w-2022-2218.json",
         },
         {
            category: "self",
            summary: "WID-SEC-2022-2218 - Portal Version",
            url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-2218",
         },
         {
            category: "external",
            summary: "Asterisk Security Advisory AST-2022-007 vom 2022-12-01",
            url: "https://downloads.asterisk.org/pub/security/AST-2022-007.html",
         },
         {
            category: "external",
            summary: "Asterisk Security Advisory AST-2022-008 vom 2022-12-01",
            url: "https://downloads.asterisk.org/pub/security/AST-2022-008.html",
         },
         {
            category: "external",
            summary: "Asterisk Security Advisory AST-2022-009 vom 2022-12-01",
            url: "https://downloads.asterisk.org/pub/security/AST-2022-009.html",
         },
         {
            category: "external",
            summary: "Debian Security Advisory DLA-3335 vom 2023-02-23",
            url: "https://lists.debian.org/debian-lts-announce/2023/02/msg00029.html",
         },
         {
            category: "external",
            summary: "Debian Security Advisory DSA-5358 vom 2023-02-23",
            url: "https://lists.debian.org/debian-security-announce/2023/msg00047.html",
         },
         {
            category: "external",
            summary: "Gentoo Linux Security Advisory GLSA-202412-03 vom 2024-12-07",
            url: "https://security.gentoo.org/glsa/202412-03",
         },
      ],
      source_lang: "en-US",
      title: "Asterisk: Mehrere Schwachstellen",
      tracking: {
         current_release_date: "2024-12-08T23:00:00.000+00:00",
         generator: {
            date: "2024-12-09T09:22:01.768+00:00",
            engine: {
               name: "BSI-WID",
               version: "1.3.10",
            },
         },
         id: "WID-SEC-W-2022-2218",
         initial_release_date: "2022-12-01T23:00:00.000+00:00",
         revision_history: [
            {
               date: "2022-12-01T23:00:00.000+00:00",
               number: "1",
               summary: "Initiale Fassung",
            },
            {
               date: "2023-02-22T23:00:00.000+00:00",
               number: "2",
               summary: "Neue Updates von Debian aufgenommen",
            },
            {
               date: "2024-12-08T23:00:00.000+00:00",
               number: "3",
               summary: "Neue Updates von Gentoo aufgenommen",
            },
         ],
         status: "final",
         version: "3",
      },
   },
   product_tree: {
      branches: [
         {
            branches: [
               {
                  category: "product_name",
                  name: "Debian Linux",
                  product: {
                     name: "Debian Linux",
                     product_id: "2951",
                     product_identification_helper: {
                        cpe: "cpe:/o:debian:debian_linux:-",
                     },
                  },
               },
            ],
            category: "vendor",
            name: "Debian",
         },
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_version_range",
                        name: "<18.9-cert3",
                        product: {
                           name: "Digium Certified Asterisk <18.9-cert3",
                           product_id: "T025465",
                        },
                     },
                     {
                        category: "product_version",
                        name: "18.9-cert3",
                        product: {
                           name: "Digium Certified Asterisk 18.9-cert3",
                           product_id: "T025465-fixed",
                           product_identification_helper: {
                              cpe: "cpe:/a:digium:certified_asterisk:18.9-cert3",
                           },
                        },
                     },
                  ],
                  category: "product_name",
                  name: "Certified Asterisk",
               },
            ],
            category: "vendor",
            name: "Digium",
         },
         {
            branches: [
               {
                  category: "product_name",
                  name: "Gentoo Linux",
                  product: {
                     name: "Gentoo Linux",
                     product_id: "T012167",
                     product_identification_helper: {
                        cpe: "cpe:/o:gentoo:linux:-",
                     },
                  },
               },
            ],
            category: "vendor",
            name: "Gentoo",
         },
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_version_range",
                        name: "<16.29.1",
                        product: {
                           name: "Open Source Asterisk <16.29.1",
                           product_id: "T025458",
                        },
                     },
                     {
                        category: "product_version",
                        name: "16.29.1",
                        product: {
                           name: "Open Source Asterisk 16.29.1",
                           product_id: "T025458-fixed",
                           product_identification_helper: {
                              cpe: "cpe:/a:digium:asterisk:16.29.1",
                           },
                        },
                     },
                     {
                        category: "product_version_range",
                        name: "<18.15.1",
                        product: {
                           name: "Open Source Asterisk <18.15.1",
                           product_id: "T025459",
                        },
                     },
                     {
                        category: "product_version",
                        name: "18.15.1",
                        product: {
                           name: "Open Source Asterisk 18.15.1",
                           product_id: "T025459-fixed",
                           product_identification_helper: {
                              cpe: "cpe:/a:digium:asterisk:18.15.1",
                           },
                        },
                     },
                     {
                        category: "product_version_range",
                        name: "<19.7.1",
                        product: {
                           name: "Open Source Asterisk <19.7.1",
                           product_id: "T025460",
                        },
                     },
                     {
                        category: "product_version",
                        name: "19.7.1",
                        product: {
                           name: "Open Source Asterisk 19.7.1",
                           product_id: "T025460-fixed",
                           product_identification_helper: {
                              cpe: "cpe:/a:digium:asterisk:19.7.1",
                           },
                        },
                     },
                     {
                        category: "product_version_range",
                        name: "<20.0.1",
                        product: {
                           name: "Open Source Asterisk <20.0.1",
                           product_id: "T025461",
                        },
                     },
                     {
                        category: "product_version",
                        name: "20.0.1",
                        product: {
                           name: "Open Source Asterisk 20.0.1",
                           product_id: "T025461-fixed",
                           product_identification_helper: {
                              cpe: "cpe:/a:digium:asterisk:20.0.1",
                           },
                        },
                     },
                  ],
                  category: "product_name",
                  name: "Asterisk",
               },
            ],
            category: "vendor",
            name: "Open Source",
         },
      ],
   },
   vulnerabilities: [
      {
         cve: "CVE-2022-37325",
         notes: [
            {
               category: "description",
               text: "Es existiert eine Schwachstelle in Asterisk. Diese ist auf einen Integer-Unterlauf im \"h323\"-Modul zurückzuführen. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um einen Denial of Service Zustand herbeizuführen.",
            },
         ],
         product_status: {
            known_affected: [
               "T025460",
               "2951",
               "T025459",
               "T025458",
               "T025465",
               "T012167",
               "T025461",
            ],
         },
         release_date: "2022-12-01T23:00:00.000+00:00",
         title: "CVE-2022-37325",
      },
      {
         cve: "CVE-2022-42705",
         notes: [
            {
               category: "description",
               text: "Es existiert eine Schwachstelle in Asterisk. Diese ist auf einen Use-after-Free-Fehler in \"res_pjsip_pubsub.c\" zurückzuführen. Ein entfernter, authentisierter Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuführen.",
            },
         ],
         product_status: {
            known_affected: [
               "T025460",
               "2951",
               "T025459",
               "T025458",
               "T025465",
               "T012167",
               "T025461",
            ],
         },
         release_date: "2022-12-01T23:00:00.000+00:00",
         title: "CVE-2022-42705",
      },
      {
         cve: "CVE-2022-42706",
         notes: [
            {
               category: "description",
               text: "Es existiert eine Schwachstelle in Asterisk. Nutzer mit der \"config\"-Berechtigung können Dateien ausserhalb des Asterisk-Verzeichnisses lesen. Ein entfernter, authentisierter Angreifer kann diese Schwachstelle ausnutzen, um Informationen offenzulegen.",
            },
         ],
         product_status: {
            known_affected: [
               "T025460",
               "2951",
               "T025459",
               "T025458",
               "T025465",
               "T012167",
               "T025461",
            ],
         },
         release_date: "2022-12-01T23:00:00.000+00:00",
         title: "CVE-2022-42706",
      },
   ],
}

wid-sec-w-2022-2218

Vulnerability from csaf_certbund

Published

2022-12-01 23:00

Modified

2024-12-08 23:00

Summary

Asterisk: Mehrere Schwachstellen

Notes

Produktbeschreibung

Asterisk ist eine komplette Open Source Multiprotokoll Telefonanlage (PBX) auf Softwarebasis.

Angriff

Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Asterisk ausnutzen, um einen Denial of Service Angriff durchzuführen oder Informationen offenzulegen.

Betroffene Betriebssysteme

- Linux - Sonstiges - UNIX - Windows

JSON

To clipboard

{
   document: {
      aggregate_severity: {
         text: "mittel",
      },
      category: "csaf_base",
      csaf_version: "2.0",
      distribution: {
         tlp: {
            label: "WHITE",
            url: "https://www.first.org/tlp/",
         },
      },
      lang: "de-DE",
      notes: [
         {
            category: "legal_disclaimer",
            text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.",
         },
         {
            category: "description",
            text: "Asterisk ist eine komplette Open Source Multiprotokoll Telefonanlage (PBX) auf Softwarebasis.",
            title: "Produktbeschreibung",
         },
         {
            category: "summary",
            text: "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Asterisk ausnutzen, um einen Denial of Service Angriff durchzuführen oder Informationen offenzulegen.",
            title: "Angriff",
         },
         {
            category: "general",
            text: "- Linux\n- Sonstiges\n- UNIX\n- Windows",
            title: "Betroffene Betriebssysteme",
         },
      ],
      publisher: {
         category: "other",
         contact_details: "csaf-provider@cert-bund.de",
         name: "Bundesamt für Sicherheit in der Informationstechnik",
         namespace: "https://www.bsi.bund.de",
      },
      references: [
         {
            category: "self",
            summary: "WID-SEC-W-2022-2218 - CSAF Version",
            url: "https://wid.cert-bund.de/.well-known/csaf/white/2022/wid-sec-w-2022-2218.json",
         },
         {
            category: "self",
            summary: "WID-SEC-2022-2218 - Portal Version",
            url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-2218",
         },
         {
            category: "external",
            summary: "Asterisk Security Advisory AST-2022-007 vom 2022-12-01",
            url: "https://downloads.asterisk.org/pub/security/AST-2022-007.html",
         },
         {
            category: "external",
            summary: "Asterisk Security Advisory AST-2022-008 vom 2022-12-01",
            url: "https://downloads.asterisk.org/pub/security/AST-2022-008.html",
         },
         {
            category: "external",
            summary: "Asterisk Security Advisory AST-2022-009 vom 2022-12-01",
            url: "https://downloads.asterisk.org/pub/security/AST-2022-009.html",
         },
         {
            category: "external",
            summary: "Debian Security Advisory DLA-3335 vom 2023-02-23",
            url: "https://lists.debian.org/debian-lts-announce/2023/02/msg00029.html",
         },
         {
            category: "external",
            summary: "Debian Security Advisory DSA-5358 vom 2023-02-23",
            url: "https://lists.debian.org/debian-security-announce/2023/msg00047.html",
         },
         {
            category: "external",
            summary: "Gentoo Linux Security Advisory GLSA-202412-03 vom 2024-12-07",
            url: "https://security.gentoo.org/glsa/202412-03",
         },
      ],
      source_lang: "en-US",
      title: "Asterisk: Mehrere Schwachstellen",
      tracking: {
         current_release_date: "2024-12-08T23:00:00.000+00:00",
         generator: {
            date: "2024-12-09T09:22:01.768+00:00",
            engine: {
               name: "BSI-WID",
               version: "1.3.10",
            },
         },
         id: "WID-SEC-W-2022-2218",
         initial_release_date: "2022-12-01T23:00:00.000+00:00",
         revision_history: [
            {
               date: "2022-12-01T23:00:00.000+00:00",
               number: "1",
               summary: "Initiale Fassung",
            },
            {
               date: "2023-02-22T23:00:00.000+00:00",
               number: "2",
               summary: "Neue Updates von Debian aufgenommen",
            },
            {
               date: "2024-12-08T23:00:00.000+00:00",
               number: "3",
               summary: "Neue Updates von Gentoo aufgenommen",
            },
         ],
         status: "final",
         version: "3",
      },
   },
   product_tree: {
      branches: [
         {
            branches: [
               {
                  category: "product_name",
                  name: "Debian Linux",
                  product: {
                     name: "Debian Linux",
                     product_id: "2951",
                     product_identification_helper: {
                        cpe: "cpe:/o:debian:debian_linux:-",
                     },
                  },
               },
            ],
            category: "vendor",
            name: "Debian",
         },
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_version_range",
                        name: "<18.9-cert3",
                        product: {
                           name: "Digium Certified Asterisk <18.9-cert3",
                           product_id: "T025465",
                        },
                     },
                     {
                        category: "product_version",
                        name: "18.9-cert3",
                        product: {
                           name: "Digium Certified Asterisk 18.9-cert3",
                           product_id: "T025465-fixed",
                           product_identification_helper: {
                              cpe: "cpe:/a:digium:certified_asterisk:18.9-cert3",
                           },
                        },
                     },
                  ],
                  category: "product_name",
                  name: "Certified Asterisk",
               },
            ],
            category: "vendor",
            name: "Digium",
         },
         {
            branches: [
               {
                  category: "product_name",
                  name: "Gentoo Linux",
                  product: {
                     name: "Gentoo Linux",
                     product_id: "T012167",
                     product_identification_helper: {
                        cpe: "cpe:/o:gentoo:linux:-",
                     },
                  },
               },
            ],
            category: "vendor",
            name: "Gentoo",
         },
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_version_range",
                        name: "<16.29.1",
                        product: {
                           name: "Open Source Asterisk <16.29.1",
                           product_id: "T025458",
                        },
                     },
                     {
                        category: "product_version",
                        name: "16.29.1",
                        product: {
                           name: "Open Source Asterisk 16.29.1",
                           product_id: "T025458-fixed",
                           product_identification_helper: {
                              cpe: "cpe:/a:digium:asterisk:16.29.1",
                           },
                        },
                     },
                     {
                        category: "product_version_range",
                        name: "<18.15.1",
                        product: {
                           name: "Open Source Asterisk <18.15.1",
                           product_id: "T025459",
                        },
                     },
                     {
                        category: "product_version",
                        name: "18.15.1",
                        product: {
                           name: "Open Source Asterisk 18.15.1",
                           product_id: "T025459-fixed",
                           product_identification_helper: {
                              cpe: "cpe:/a:digium:asterisk:18.15.1",
                           },
                        },
                     },
                     {
                        category: "product_version_range",
                        name: "<19.7.1",
                        product: {
                           name: "Open Source Asterisk <19.7.1",
                           product_id: "T025460",
                        },
                     },
                     {
                        category: "product_version",
                        name: "19.7.1",
                        product: {
                           name: "Open Source Asterisk 19.7.1",
                           product_id: "T025460-fixed",
                           product_identification_helper: {
                              cpe: "cpe:/a:digium:asterisk:19.7.1",
                           },
                        },
                     },
                     {
                        category: "product_version_range",
                        name: "<20.0.1",
                        product: {
                           name: "Open Source Asterisk <20.0.1",
                           product_id: "T025461",
                        },
                     },
                     {
                        category: "product_version",
                        name: "20.0.1",
                        product: {
                           name: "Open Source Asterisk 20.0.1",
                           product_id: "T025461-fixed",
                           product_identification_helper: {
                              cpe: "cpe:/a:digium:asterisk:20.0.1",
                           },
                        },
                     },
                  ],
                  category: "product_name",
                  name: "Asterisk",
               },
            ],
            category: "vendor",
            name: "Open Source",
         },
      ],
   },
   vulnerabilities: [
      {
         cve: "CVE-2022-37325",
         notes: [
            {
               category: "description",
               text: "Es existiert eine Schwachstelle in Asterisk. Diese ist auf einen Integer-Unterlauf im \"h323\"-Modul zurückzuführen. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um einen Denial of Service Zustand herbeizuführen.",
            },
         ],
         product_status: {
            known_affected: [
               "T025460",
               "2951",
               "T025459",
               "T025458",
               "T025465",
               "T012167",
               "T025461",
            ],
         },
         release_date: "2022-12-01T23:00:00.000+00:00",
         title: "CVE-2022-37325",
      },
      {
         cve: "CVE-2022-42705",
         notes: [
            {
               category: "description",
               text: "Es existiert eine Schwachstelle in Asterisk. Diese ist auf einen Use-after-Free-Fehler in \"res_pjsip_pubsub.c\" zurückzuführen. Ein entfernter, authentisierter Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuführen.",
            },
         ],
         product_status: {
            known_affected: [
               "T025460",
               "2951",
               "T025459",
               "T025458",
               "T025465",
               "T012167",
               "T025461",
            ],
         },
         release_date: "2022-12-01T23:00:00.000+00:00",
         title: "CVE-2022-42705",
      },
      {
         cve: "CVE-2022-42706",
         notes: [
            {
               category: "description",
               text: "Es existiert eine Schwachstelle in Asterisk. Nutzer mit der \"config\"-Berechtigung können Dateien ausserhalb des Asterisk-Verzeichnisses lesen. Ein entfernter, authentisierter Angreifer kann diese Schwachstelle ausnutzen, um Informationen offenzulegen.",
            },
         ],
         product_status: {
            known_affected: [
               "T025460",
               "2951",
               "T025459",
               "T025458",
               "T025465",
               "T012167",
               "T025461",
            ],
         },
         release_date: "2022-12-01T23:00:00.000+00:00",
         title: "CVE-2022-42706",
      },
   ],
}

var-202212-0160

Vulnerability from variot

Debian Security Advisory DSA-5358-1 security@debian.org https://www.debian.org/security/ Markus Koschany February 23, 2023 https://www.debian.org/security/faq

Package : asterisk CVE ID : CVE-2022-23537 CVE-2022-23547 CVE-2022-31031 CVE-2022-37325 CVE-2022-39244 CVE-2022-39269 CVE-2022-42705 CVE-2022-42706

Multiple security vulnerabilities have been discovered in Asterisk, an Open Source Private Branch Exchange. Buffer overflows and other programming errors could be exploited for launching a denial of service attack or the execution of arbitrary code.

For the stable distribution (bullseye), these problems have been fixed in version 1:16.28.0~dfsg-0+deb11u2.

We recommend that you upgrade your asterisk packages.

For the detailed security status of asterisk please refer to its security tracker page at: https://security-tracker.debian.org/tracker/asterisk

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmP3LTtfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeQLpw/8CshgHqfiBn5zx4yxf0mmnHaeXDpDmebNz0MLPJQOBHLn6IBFyAu+TpM5 o9CgBlgTx6LdXToik+0QQtG50EnCp+2gPQ+dalY7lHswTfdwqIrMIM8NUwtOo9ut DUUptPBTbUVDICh/OZfiNE3EfxAJ5Z6ktoqC/L8IqCx/S1ZwbdQJSVXAAQJJUVyT syXDNHpoYqehm6p0JKOAbYkROnCKyvfhrtu9clZgUx0lhlxGRpAMspO15mUTyxqR xLwsWAqWyfPXTZBpa6Ym8Aa8vQeDrvk3QakigvhnYHxhz51eJiH8WcsIzh2NQLW0 CsJHYx+Hq3rVUHpIWvPyR00HeKfGNu4pYzXS8RAhuKricEgxNWEQKWxYO76+xrWt avZ1ebREYG2+6AcneB3ceSCPNEg3YeySmf5RyFYy+3s307OsA8/kbSwzsi4lmBZe 1+bqDZvcb76dEz2d5bFaC9qJ3EUX3C19B4mo/bi+IW4s8YypZZX3OpmH5jCkIFKF XiEmuDj3rtrDYSzQgSCKgflXQIv63UsUn3NbZk2KIkQTZRpBfT8p5M7DWwozOCbO 9CN6gsjkM/H+YT2FfEdXMsqw7H6tl3wv1HUIj9dDaAYfxfnHGMfe3jeSBA84Ql1J +NrQctHyDGHo5WcU4ThMNawTuz+FUn/MHb4+ycyP8TjZa/RHX4M=HsMO -----END PGP SIGNATURE-----

Show details on source website

JSON

To clipboard

{
   "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
      affected_products: {
         "@id": "https://www.variotdbs.pl/ref/affected_products",
      },
      credits: {
         "@id": "https://www.variotdbs.pl/ref/credits",
      },
      cvss: {
         "@id": "https://www.variotdbs.pl/ref/cvss/",
      },
      description: {
         "@id": "https://www.variotdbs.pl/ref/description/",
      },
      exploit_availability: {
         "@id": "https://www.variotdbs.pl/ref/exploit_availability/",
      },
      external_ids: {
         "@id": "https://www.variotdbs.pl/ref/external_ids/",
      },
      iot: {
         "@id": "https://www.variotdbs.pl/ref/iot/",
      },
      iot_taxonomy: {
         "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/",
      },
      patch: {
         "@id": "https://www.variotdbs.pl/ref/patch/",
      },
      problemtype_data: {
         "@id": "https://www.variotdbs.pl/ref/problemtype_data/",
      },
      references: {
         "@id": "https://www.variotdbs.pl/ref/references/",
      },
      sources: {
         "@id": "https://www.variotdbs.pl/ref/sources/",
      },
      sources_release_date: {
         "@id": "https://www.variotdbs.pl/ref/sources_release_date/",
      },
      sources_update_date: {
         "@id": "https://www.variotdbs.pl/ref/sources_update_date/",
      },
      threat_type: {
         "@id": "https://www.variotdbs.pl/ref/threat_type/",
      },
      title: {
         "@id": "https://www.variotdbs.pl/ref/title/",
      },
      type: {
         "@id": "https://www.variotdbs.pl/ref/type/",
      },
   },
   "@id": "https://www.variotdbs.pl/vuln/VAR-202212-0160",
   affected_products: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
         data: {
            "@container": "@list",
         },
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
            "@id": "https://www.variotdbs.pl/ref/sources",
         },
      },
      data: [
         {
            model: "asterisk",
            scope: "gte",
            trust: 1,
            vendor: "sangoma",
            version: "19.0.0",
         },
         {
            model: "asterisk",
            scope: "eq",
            trust: 1,
            vendor: "sangoma",
            version: "20.0.0",
         },
         {
            model: "asterisk",
            scope: "lt",
            trust: 1,
            vendor: "sangoma",
            version: "18.15.1",
         },
         {
            model: "asterisk",
            scope: "lt",
            trust: 1,
            vendor: "sangoma",
            version: "16.29.1",
         },
         {
            model: "asterisk",
            scope: "gte",
            trust: 1,
            vendor: "sangoma",
            version: "16.0.0",
         },
         {
            model: "asterisk",
            scope: "lt",
            trust: 1,
            vendor: "sangoma",
            version: "19.7.1",
         },
         {
            model: "asterisk",
            scope: "gte",
            trust: 1,
            vendor: "sangoma",
            version: "18.0.0",
         },
      ],
      sources: [
         {
            db: "NVD",
            id: "CVE-2022-37325",
         },
      ],
   },
   credits: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/credits#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: "Debian",
      sources: [
         {
            db: "PACKETSTORM",
            id: "171105",
         },
      ],
      trust: 0.1,
   },
   cve: "CVE-2022-37325",
   cvss: {
      "@context": {
         cvssV2: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#",
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2",
         },
         cvssV3: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#",
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/",
         },
         severity: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/cvss/severity#",
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity",
         },
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
            "@id": "https://www.variotdbs.pl/ref/sources",
         },
      },
      data: [
         {
            cvssV2: [],
            cvssV3: [
               {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  author: "nvd@nist.gov",
                  availabilityImpact: "HIGH",
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "NONE",
                  exploitabilityScore: 3.9,
                  id: "CVE-2022-37325",
                  impactScore: 3.6,
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  trust: 1,
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  version: "3.1",
               },
            ],
            severity: [
               {
                  author: "nvd@nist.gov",
                  id: "CVE-2022-37325",
                  trust: 1,
                  value: "HIGH",
               },
               {
                  author: "CNNVD",
                  id: "CNNVD-202212-2138",
                  trust: 0.6,
                  value: "HIGH",
               },
            ],
         },
      ],
      sources: [
         {
            db: "CNNVD",
            id: "CNNVD-202212-2138",
         },
         {
            db: "NVD",
            id: "CVE-2022-37325",
         },
      ],
   },
   description: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/description#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: "In Sangoma Asterisk through 16.28.0, 17.x and 18.x through 18.14.0, and 19.x through 19.6.0, an incoming Setup message to addons/ooh323c/src/ooq931.c with a malformed Calling or Called Party IE can cause a crash. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA512\n\n- -------------------------------------------------------------------------\nDebian Security Advisory DSA-5358-1                   security@debian.org\nhttps://www.debian.org/security/                          Markus Koschany\nFebruary 23, 2023                     https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage        : asterisk\nCVE ID         : CVE-2022-23537 CVE-2022-23547 CVE-2022-31031 CVE-2022-37325\n                 CVE-2022-39244 CVE-2022-39269 CVE-2022-42705 CVE-2022-42706\n\nMultiple security vulnerabilities have been discovered in Asterisk, an Open\nSource Private Branch Exchange. Buffer overflows and other programming errors\ncould be exploited for launching a denial of service attack or the execution of\narbitrary code. \n\nFor the stable distribution (bullseye), these problems have been fixed in\nversion 1:16.28.0~dfsg-0+deb11u2. \n\nWe recommend that you upgrade your asterisk packages. \n\nFor the detailed security status of asterisk please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/asterisk\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n-----BEGIN PGP SIGNATURE-----\n\niQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmP3LTtfFIAAAAAALgAo\naXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD\nRjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7\nUeQLpw/8CshgHqfiBn5zx4yxf0mmnHaeXDpDmebNz0MLPJQOBHLn6IBFyAu+TpM5\no9CgBlgTx6LdXToik+0QQtG50EnCp+2gPQ+dalY7lHswTfdwqIrMIM8NUwtOo9ut\nDUUptPBTbUVDICh/OZfiNE3EfxAJ5Z6ktoqC/L8IqCx/S1ZwbdQJSVXAAQJJUVyT\nsyXDNHpoYqehm6p0JKOAbYkROnCKyvfhrtu9clZgUx0lhlxGRpAMspO15mUTyxqR\nxLwsWAqWyfPXTZBpa6Ym8Aa8vQeDrvk3QakigvhnYHxhz51eJiH8WcsIzh2NQLW0\nCsJHYx+Hq3rVUHpIWvPyR00HeKfGNu4pYzXS8RAhuKricEgxNWEQKWxYO76+xrWt\navZ1ebREYG2+6AcneB3ceSCPNEg3YeySmf5RyFYy+3s307OsA8/kbSwzsi4lmBZe\n1+bqDZvcb76dEz2d5bFaC9qJ3EUX3C19B4mo/bi+IW4s8YypZZX3OpmH5jCkIFKF\nXiEmuDj3rtrDYSzQgSCKgflXQIv63UsUn3NbZk2KIkQTZRpBfT8p5M7DWwozOCbO\n9CN6gsjkM/H+YT2FfEdXMsqw7H6tl3wv1HUIj9dDaAYfxfnHGMfe3jeSBA84Ql1J\n+NrQctHyDGHo5WcU4ThMNawTuz+FUn/MHb4+ycyP8TjZa/RHX4M=HsMO\n-----END PGP SIGNATURE-----\n",
      sources: [
         {
            db: "NVD",
            id: "CVE-2022-37325",
         },
         {
            db: "PACKETSTORM",
            id: "171105",
         },
      ],
      trust: 0.99,
   },
   external_ids: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
         data: {
            "@container": "@list",
         },
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: [
         {
            db: "NVD",
            id: "CVE-2022-37325",
            trust: 1.7,
         },
         {
            db: "AUSCERT",
            id: "ESB-2022.6287",
            trust: 0.6,
         },
         {
            db: "CNNVD",
            id: "CNNVD-202212-2138",
            trust: 0.6,
         },
         {
            db: "PACKETSTORM",
            id: "171105",
            trust: 0.1,
         },
      ],
      sources: [
         {
            db: "PACKETSTORM",
            id: "171105",
         },
         {
            db: "CNNVD",
            id: "CNNVD-202212-2138",
         },
         {
            db: "NVD",
            id: "CVE-2022-37325",
         },
      ],
   },
   id: "VAR-202212-0160",
   iot: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/iot#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: true,
      sources: [
         {
            db: "VARIoT devices database",
            id: null,
         },
      ],
      trust: 1,
   },
   last_update_date: "2024-08-14T13:06:23.463000Z",
   patch: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/patch#",
         data: {
            "@container": "@list",
         },
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: [
         {
            title: "Asterisk Buffer error vulnerability fix",
            trust: 0.6,
            url: "http://123.124.177.30/web/xxk/bdxqById.tag?id=216716",
         },
      ],
      sources: [
         {
            db: "CNNVD",
            id: "CNNVD-202212-2138",
         },
      ],
   },
   problemtype_data: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: [
         {
            problemtype: "CWE-787",
            trust: 1,
         },
      ],
      sources: [
         {
            db: "NVD",
            id: "CVE-2022-37325",
         },
      ],
   },
   references: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/references#",
         data: {
            "@container": "@list",
         },
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: [
         {
            trust: 1.6,
            url: "https://www.debian.org/security/2023/dsa-5358",
         },
         {
            trust: 1.6,
            url: "https://downloads.asterisk.org/pub/security/ast-2022-007.html",
         },
         {
            trust: 1.6,
            url: "https://lists.debian.org/debian-lts-announce/2023/02/msg00029.html",
         },
         {
            trust: 0.6,
            url: "https://vigilance.fr/vulnerability/asterisk-open-source-denial-of-service-via-h323-channel-add-on-40000",
         },
         {
            trust: 0.6,
            url: "https://www.auscert.org.au/bulletins/esb-2022.6287",
         },
         {
            trust: 0.6,
            url: "https://cxsecurity.com/cveshow/cve-2022-37325/",
         },
         {
            trust: 0.1,
            url: "https://www.debian.org/security/",
         },
         {
            trust: 0.1,
            url: "https://nvd.nist.gov/vuln/detail/cve-2022-23547",
         },
         {
            trust: 0.1,
            url: "https://nvd.nist.gov/vuln/detail/cve-2022-31031",
         },
         {
            trust: 0.1,
            url: "https://nvd.nist.gov/vuln/detail/cve-2022-37325",
         },
         {
            trust: 0.1,
            url: "https://nvd.nist.gov/vuln/detail/cve-2022-39244",
         },
         {
            trust: 0.1,
            url: "https://nvd.nist.gov/vuln/detail/cve-2022-39269",
         },
         {
            trust: 0.1,
            url: "https://nvd.nist.gov/vuln/detail/cve-2022-42705",
         },
         {
            trust: 0.1,
            url: "https://www.debian.org/security/faq",
         },
         {
            trust: 0.1,
            url: "https://security-tracker.debian.org/tracker/asterisk",
         },
         {
            trust: 0.1,
            url: "https://nvd.nist.gov/vuln/detail/cve-2022-42706",
         },
         {
            trust: 0.1,
            url: "https://nvd.nist.gov/vuln/detail/cve-2022-23537",
         },
      ],
      sources: [
         {
            db: "PACKETSTORM",
            id: "171105",
         },
         {
            db: "CNNVD",
            id: "CNNVD-202212-2138",
         },
         {
            db: "NVD",
            id: "CVE-2022-37325",
         },
      ],
   },
   sources: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/sources#",
         data: {
            "@container": "@list",
         },
      },
      data: [
         {
            db: "PACKETSTORM",
            id: "171105",
         },
         {
            db: "CNNVD",
            id: "CNNVD-202212-2138",
         },
         {
            db: "NVD",
            id: "CVE-2022-37325",
         },
      ],
   },
   sources_release_date: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
         data: {
            "@container": "@list",
         },
      },
      data: [
         {
            date: "2023-02-23T16:33:14",
            db: "PACKETSTORM",
            id: "171105",
         },
         {
            date: "2022-12-02T00:00:00",
            db: "CNNVD",
            id: "CNNVD-202212-2138",
         },
         {
            date: "2022-12-05T21:15:10.073000",
            db: "NVD",
            id: "CVE-2022-37325",
         },
      ],
   },
   sources_update_date: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
         data: {
            "@container": "@list",
         },
      },
      data: [
         {
            date: "2023-02-27T00:00:00",
            db: "CNNVD",
            id: "CNNVD-202212-2138",
         },
         {
            date: "2023-02-24T00:15:11.757000",
            db: "NVD",
            id: "CVE-2022-37325",
         },
      ],
   },
   threat_type: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: "remote",
      sources: [
         {
            db: "CNNVD",
            id: "CNNVD-202212-2138",
         },
      ],
      trust: 0.6,
   },
   title: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/title#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: "Asterisk Buffer error vulnerability",
      sources: [
         {
            db: "CNNVD",
            id: "CNNVD-202212-2138",
         },
      ],
      trust: 0.6,
   },
   type: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/type#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: "buffer error",
      sources: [
         {
            db: "CNNVD",
            id: "CNNVD-202212-2138",
         },
      ],
      trust: 0.6,
   },
}

gsd-2022-37325

Vulnerability from gsd

Modified

2023-12-13 01:19

Details

Aliases

CVE-2022-37325

Aliases

CVE-2022-37325

JSON

To clipboard

{
   GSD: {
      alias: "CVE-2022-37325",
      description: "In Sangoma Asterisk through 16.28.0, 17.x and 18.x through 18.14.0, and 19.x through 19.6.0, an incoming Setup message to addons/ooh323c/src/ooq931.c with a malformed Calling or Called Party IE can cause a crash.",
      id: "GSD-2022-37325",
      references: [
         "https://www.debian.org/security/2023/dsa-5358",
      ],
   },
   gsd: {
      metadata: {
         exploitCode: "unknown",
         remediation: "unknown",
         reportConfidence: "confirmed",
         type: "vulnerability",
      },
      osvSchema: {
         aliases: [
            "CVE-2022-37325",
         ],
         details: "In Sangoma Asterisk through 16.28.0, 17.x and 18.x through 18.14.0, and 19.x through 19.6.0, an incoming Setup message to addons/ooh323c/src/ooq931.c with a malformed Calling or Called Party IE can cause a crash.",
         id: "GSD-2022-37325",
         modified: "2023-12-13T01:19:13.784563Z",
         schema_version: "1.4.0",
      },
   },
   namespaces: {
      "cve.org": {
         CVE_data_meta: {
            ASSIGNER: "cve@mitre.org",
            ID: "CVE-2022-37325",
            STATE: "PUBLIC",
         },
         affects: {
            vendor: {
               vendor_data: [
                  {
                     product: {
                        product_data: [
                           {
                              product_name: "n/a",
                              version: {
                                 version_data: [
                                    {
                                       version_value: "n/a",
                                    },
                                 ],
                              },
                           },
                        ],
                     },
                     vendor_name: "n/a",
                  },
               ],
            },
         },
         data_format: "MITRE",
         data_type: "CVE",
         data_version: "4.0",
         description: {
            description_data: [
               {
                  lang: "eng",
                  value: "In Sangoma Asterisk through 16.28.0, 17.x and 18.x through 18.14.0, and 19.x through 19.6.0, an incoming Setup message to addons/ooh323c/src/ooq931.c with a malformed Calling or Called Party IE can cause a crash.",
               },
            ],
         },
         problemtype: {
            problemtype_data: [
               {
                  description: [
                     {
                        lang: "eng",
                        value: "n/a",
                     },
                  ],
               },
            ],
         },
         references: {
            reference_data: [
               {
                  name: "https://downloads.asterisk.org/pub/security/AST-2022-007.html",
                  refsource: "MISC",
                  url: "https://downloads.asterisk.org/pub/security/AST-2022-007.html",
               },
               {
                  name: "[debian-lts-announce] 20230222 [SECURITY] [DLA 3335-1] asterisk security update",
                  refsource: "MLIST",
                  url: "https://lists.debian.org/debian-lts-announce/2023/02/msg00029.html",
               },
               {
                  name: "DSA-5358",
                  refsource: "DEBIAN",
                  url: "https://www.debian.org/security/2023/dsa-5358",
               },
            ],
         },
      },
      "nvd.nist.gov": {
         configurations: {
            CVE_data_version: "4.0",
            nodes: [
               {
                  children: [],
                  cpe_match: [
                     {
                        cpe23Uri: "cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*",
                        cpe_name: [],
                        versionEndExcluding: "19.7.1",
                        versionStartIncluding: "19.0.0",
                        vulnerable: true,
                     },
                     {
                        cpe23Uri: "cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*",
                        cpe_name: [],
                        versionEndExcluding: "18.15.1",
                        versionStartIncluding: "18.0.0",
                        vulnerable: true,
                     },
                     {
                        cpe23Uri: "cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*",
                        cpe_name: [],
                        versionEndExcluding: "16.29.1",
                        versionStartIncluding: "16.0.0",
                        vulnerable: true,
                     },
                     {
                        cpe23Uri: "cpe:2.3:a:sangoma:asterisk:20.0.0:*:*:*:*:*:*:*",
                        cpe_name: [],
                        vulnerable: true,
                     },
                  ],
                  operator: "OR",
               },
            ],
         },
         cve: {
            CVE_data_meta: {
               ASSIGNER: "cve@mitre.org",
               ID: "CVE-2022-37325",
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "en",
                     value: "In Sangoma Asterisk through 16.28.0, 17.x and 18.x through 18.14.0, and 19.x through 19.6.0, an incoming Setup message to addons/ooh323c/src/ooq931.c with a malformed Calling or Called Party IE can cause a crash.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "en",
                           value: "CWE-787",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "https://downloads.asterisk.org/pub/security/AST-2022-007.html",
                     refsource: "MISC",
                     tags: [
                        "Mitigation",
                        "Patch",
                        "Vendor Advisory",
                     ],
                     url: "https://downloads.asterisk.org/pub/security/AST-2022-007.html",
                  },
                  {
                     name: "[debian-lts-announce] 20230222 [SECURITY] [DLA 3335-1] asterisk security update",
                     refsource: "MLIST",
                     tags: [],
                     url: "https://lists.debian.org/debian-lts-announce/2023/02/msg00029.html",
                  },
                  {
                     name: "DSA-5358",
                     refsource: "DEBIAN",
                     tags: [],
                     url: "https://www.debian.org/security/2023/dsa-5358",
                  },
               ],
            },
         },
         impact: {
            baseMetricV3: {
               cvssV3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "NONE",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  version: "3.1",
               },
               exploitabilityScore: 3.9,
               impactScore: 3.6,
            },
         },
         lastModifiedDate: "2023-02-24T00:15Z",
         publishedDate: "2022-12-05T21:15Z",
      },
   },
}

fkie_cve-2022-37325

Vulnerability from fkie_nvd

Published

2022-12-05 21:15

Modified

2025-04-24 15:15

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

References

URL	Tags
cve@mitre.org	https://downloads.asterisk.org/pub/security/AST-2022-007.html	Mitigation, Patch, Vendor Advisory
cve@mitre.org	https://lists.debian.org/debian-lts-announce/2023/02/msg00029.html
cve@mitre.org	https://www.debian.org/security/2023/dsa-5358
af854a3a-2127-422b-91ae-364da2661108	https://downloads.asterisk.org/pub/security/AST-2022-007.html	Mitigation, Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2023/02/msg00029.html
af854a3a-2127-422b-91ae-364da2661108	https://www.debian.org/security/2023/dsa-5358

Impacted products

Vendor	Product	Version
sangoma	asterisk	*
sangoma	asterisk	*
sangoma	asterisk	*
sangoma	asterisk	20.0.0

JSON

To clipboard

{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "3632620E-8A6D-4D65-BED9-80C0E7CEA8DD",
                     versionEndExcluding: "16.29.1",
                     versionStartIncluding: "16.0.0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "F944B1A0-EE6E-4FA3-905D-F37AD20D567B",
                     versionEndExcluding: "18.15.1",
                     versionStartIncluding: "18.0.0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "A1A640E6-6378-4FA4-98B5-C32B5A937F7B",
                     versionEndExcluding: "19.7.1",
                     versionStartIncluding: "19.0.0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:sangoma:asterisk:20.0.0:*:*:*:*:*:*:*",
                     matchCriteriaId: "ADB799D3-B6BE-468C-8D3E-B087ED287B24",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "In Sangoma Asterisk through 16.28.0, 17.x and 18.x through 18.14.0, and 19.x through 19.6.0, an incoming Setup message to addons/ooh323c/src/ooq931.c with a malformed Calling or Called Party IE can cause a crash.",
      },
      {
         lang: "es",
         value: "En Sangoma Asterisk hasta 16.28.0, 17.x y 18.x hasta 18.14.0, y 19.x hasta 19.6.0, un mensaje de configuración entrante a addons/ooh323c/src/ooq931.c con una persona que llama o una persona llamada con formato incorrecto IE puede provocar un bloqueo.",
      },
   ],
   id: "CVE-2022-37325",
   lastModified: "2025-04-24T15:15:47.787",
   metrics: {
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "HIGH",
               baseScore: 7.5,
               baseSeverity: "HIGH",
               confidentialityImpact: "NONE",
               integrityImpact: "NONE",
               privilegesRequired: "NONE",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
               version: "3.1",
            },
            exploitabilityScore: 3.9,
            impactScore: 3.6,
            source: "nvd@nist.gov",
            type: "Primary",
         },
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "HIGH",
               baseScore: 7.5,
               baseSeverity: "HIGH",
               confidentialityImpact: "NONE",
               integrityImpact: "NONE",
               privilegesRequired: "NONE",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
               version: "3.1",
            },
            exploitabilityScore: 3.9,
            impactScore: 3.6,
            source: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
            type: "Secondary",
         },
      ],
   },
   published: "2022-12-05T21:15:10.073",
   references: [
      {
         source: "cve@mitre.org",
         tags: [
            "Mitigation",
            "Patch",
            "Vendor Advisory",
         ],
         url: "https://downloads.asterisk.org/pub/security/AST-2022-007.html",
      },
      {
         source: "cve@mitre.org",
         url: "https://lists.debian.org/debian-lts-announce/2023/02/msg00029.html",
      },
      {
         source: "cve@mitre.org",
         url: "https://www.debian.org/security/2023/dsa-5358",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Mitigation",
            "Patch",
            "Vendor Advisory",
         ],
         url: "https://downloads.asterisk.org/pub/security/AST-2022-007.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://lists.debian.org/debian-lts-announce/2023/02/msg00029.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://www.debian.org/security/2023/dsa-5358",
      },
   ],
   sourceIdentifier: "cve@mitre.org",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-787",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
      {
         description: [
            {
               lang: "en",
               value: "CWE-787",
            },
         ],
         source: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
         type: "Secondary",
      },
   ],
}

ghsa-m52q-h2w3-62w3

Vulnerability from github

Published

2022-12-05 21:30

Modified

2022-12-07 18:30

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

Show details on source website

JSON

To clipboard

{
   affected: [],
   aliases: [
      "CVE-2022-37325",
   ],
   database_specific: {
      cwe_ids: [
         "CWE-787",
      ],
      github_reviewed: false,
      github_reviewed_at: null,
      nvd_published_at: "2022-12-05T21:15:00Z",
      severity: "HIGH",
   },
   details: "In Sangoma Asterisk through 16.28.0, 17.x and 18.x through 18.14.0, and 19.x through 19.6.0, an incoming Setup message to addons/ooh323c/src/ooq931.c with a malformed Calling or Called Party IE can cause a crash.",
   id: "GHSA-m52q-h2w3-62w3",
   modified: "2022-12-07T18:30:25Z",
   published: "2022-12-05T21:30:41Z",
   references: [
      {
         type: "ADVISORY",
         url: "https://nvd.nist.gov/vuln/detail/CVE-2022-37325",
      },
      {
         type: "WEB",
         url: "https://downloads.asterisk.org/pub/security/AST-2022-007.html",
      },
      {
         type: "WEB",
         url: "https://lists.debian.org/debian-lts-announce/2023/02/msg00029.html",
      },
      {
         type: "WEB",
         url: "https://www.debian.org/security/2023/dsa-5358",
      },
   ],
   schema_version: "1.4.0",
   severity: [
      {
         score: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
         type: "CVSS_V3",
      },
   ],
}

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

cve-2022-37325

Vulnerability from cvelistv5

WID-SEC-W-2022-2218

Vulnerability from csaf_certbund

wid-sec-w-2022-2218

Vulnerability from csaf_certbund

var-202212-0160

Vulnerability from variot

gsd-2022-37325

Vulnerability from gsd

fkie_cve-2022-37325

Vulnerability from fkie_nvd

ghsa-m52q-h2w3-62w3

Vulnerability from github

Tags

Sightings

Nomenclature