Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2017-17850

An issue was discovered in Asterisk 13.18.4 and older, 14.7.4 and older, 15.1.4 and older, and 13.18-cert1 and older. A select set of SIP messages create a dialog in Asterisk. Those SIP messages must contain a contact header. For those messages, if the header was not present and the PJSIP channel driver was used, Asterisk would crash. The severity of this vulnerability is somewhat mitigated if authentication is enabled. If authentication is enabled, a user would have to first be authorized before reaching the crash point.

Published

2017-12-27T17:08:20.017

Last Modified

2025-04-20T01:37:25.860

Status

Deferred

Source

[email protected]

Severity

CVSSv3.0: 7.5 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:N/I:N/A:P

  • Access Vector: NETWORK
  • Access Complexity: LOW
  • Authentication: NONE
  • Confidentiality Impact: NONE
  • Integrity Impact: NONE
  • Availability Impact: PARTIAL
Exploitability Score

10.0

Impact Score

2.9

Weaknesses
  • Type: Primary
    CWE-20
Affected Vendors & Products
Type Vendor Product Version/Range Vulnerable?
Application digium asterisk ≤ 13.18.4 Yes
Application digium asterisk ≤ 14.7.4 Yes
Application digium asterisk ≤ 15.1.4 Yes
Application digium certified_asterisk 13.1.0 Yes
Application digium certified_asterisk 13.1.0 Yes
Application digium certified_asterisk 13.1.0 Yes
Application digium certified_asterisk 13.8 Yes
References