Search Results (Refine Search)
- Keyword (text search): asterisk
- Search Type: Search All
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2024-0986 |
A vulnerability was found in Issabel PBX 4.0.0. It has been rated as critical. This issue affects some unknown processing of the file /index.php?menu=asterisk_cli of the component Asterisk-Cli. The manipulation of the argument Command leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-252251. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. Published: January 28, 2024; 7:15:07 PM -0500 |
V3.1: 9.8 CRITICAL V2.0:(not available) |
CVE-2023-49786 |
Asterisk is an open source private branch exchange and telephony toolkit. In Asterisk prior to versions 18.20.1, 20.5.1, and 21.0.1; as well as certified-asterisk prior to 18.9-cert6; Asterisk is susceptible to a DoS due to a race condition in the hello handshake phase of the DTLS protocol when handling DTLS-SRTP for media setup. This attack can be done continuously, thus denying new DTLS-SRTP encrypted calls during the attack. Abuse of this vulnerability may lead to a massive Denial of Service on vulnerable Asterisk servers for calls that rely on DTLS-SRTP. Commit d7d7764cb07c8a1872804321302ef93bf62cba05 contains a fix, which is part of versions 18.20.1, 20.5.1, 21.0.1, amd 18.9-cert6. Published: December 14, 2023; 3:15:52 PM -0500 |
V3.1: 5.9 MEDIUM V2.0:(not available) |
CVE-2023-49294 |
Asterisk is an open source private branch exchange and telephony toolkit. In Asterisk prior to versions 18.20.1, 20.5.1, and 21.0.1, as well as certified-asterisk prior to 18.9-cert6, it is possible to read any arbitrary file even when the `live_dangerously` is not enabled. This allows arbitrary files to be read. Asterisk versions 18.20.1, 20.5.1, and 21.0.1, as well as certified-asterisk prior to 18.9-cert6, contain a fix for this issue. Published: December 14, 2023; 3:15:52 PM -0500 |
V3.1: 7.5 HIGH V2.0:(not available) |
CVE-2023-37457 |
Asterisk is an open source private branch exchange and telephony toolkit. In Asterisk versions 18.20.0 and prior, 20.5.0 and prior, and 21.0.0; as well as ceritifed-asterisk 18.9-cert5 and prior, the 'update' functionality of the PJSIP_HEADER dialplan function can exceed the available buffer space for storing the new value of a header. By doing so this can overwrite memory or cause a crash. This is not externally exploitable, unless dialplan is explicitly written to update a header based on data from an outside source. If the 'update' functionality is not used the vulnerability does not occur. A patch is available at commit a1ca0268254374b515fa5992f01340f7717113fa. Published: December 14, 2023; 3:15:52 PM -0500 |
V3.1: 8.2 HIGH V2.0:(not available) |
CVE-2023-41934 |
Jenkins Pipeline Maven Integration Plugin 1330.v18e473854496 and earlier does not properly mask (i.e., replace with asterisks) usernames of credentials specified in custom Maven settings in Pipeline build logs if "Treat username as secret" is checked. Published: September 06, 2023; 9:15:10 AM -0400 |
V3.1: 5.3 MEDIUM V2.0:(not available) |
CVE-2023-40340 |
Jenkins NodeJS Plugin 1.6.0 and earlier does not properly mask (i.e., replace with asterisks) credentials specified in the Npm config file in Pipeline build logs. Published: August 16, 2023; 11:15:11 AM -0400 |
V3.1: 7.5 HIGH V2.0:(not available) |
CVE-2023-40339 |
Jenkins Config File Provider Plugin 952.va_544a_6234b_46 and earlier does not mask (i.e., replace with asterisks) credentials specified in configuration files when they're written to the build log. Published: August 16, 2023; 11:15:11 AM -0400 |
V3.1: 7.5 HIGH V2.0:(not available) |
CVE-2023-39152 |
Always-incorrect control flow implementation in Jenkins Gradle Plugin 2.8 may result in credentials not being masked (i.e., replaced with asterisks) in the build log in some circumstances. Published: July 26, 2023; 10:15:10 AM -0400 |
V3.1: 6.5 MEDIUM V2.0:(not available) |
CVE-2023-33001 |
Jenkins HashiCorp Vault Plugin 360.v0a_1c04cf807d and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log when push mode for durable task logging is enabled. Published: May 16, 2023; 1:15:12 PM -0400 |
V3.1: 7.5 HIGH V2.0:(not available) |
CVE-2023-26567 |
Sangoma FreePBX 1805 through 2302 (when obtained as a ,.ISO file) places AMPDBUSER, AMPDBPASS, AMPMGRUSER, and AMPMGRPASS in the list of global variables. This exposes cleartext authentication credentials for the Asterisk Database (MariaDB/MySQL) and Asterisk Manager Interface. For example, an attacker can make a /ari/asterisk/variable?variable=AMPDBPASS API call. Published: April 26, 2023; 4:15:09 PM -0400 |
V3.1: 8.1 HIGH V2.0:(not available) |
CVE-2023-30515 |
Jenkins Thycotic DevOps Secrets Vault Plugin 1.0.0 and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log when push mode for durable task logging is enabled. Published: April 12, 2023; 2:15:08 PM -0400 |
V3.1: 7.5 HIGH V2.0:(not available) |
CVE-2023-30514 |
Jenkins Azure Key Vault Plugin 187.va_cd5fecd198a_ and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log when push mode for durable task logging is enabled. Published: April 12, 2023; 2:15:08 PM -0400 |
V3.1: 7.5 HIGH V2.0:(not available) |
CVE-2023-30513 |
Jenkins Kubernetes Plugin 3909.v1f2c633e8590 and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log when push mode for durable task logging is enabled. Published: April 12, 2023; 2:15:07 PM -0400 |
V3.1: 7.5 HIGH V2.0:(not available) |
CVE-2023-27927 |
An authenticated malicious user could acquire the simple mail transfer protocol (SMTP) Password in cleartext format, despite it being protected and hidden behind asterisks. The attacker could then perform further attacks using the SMTP credentials. Published: March 27, 2023; 4:15:09 PM -0400 |
V3.1: 6.5 MEDIUM V2.0:(not available) |
CVE-2022-42706 |
An issue was discovered in Sangoma Asterisk through 16.28, 17 and 18 through 18.14, 19 through 19.6, and certified through 18.9-cert1. GetConfig, via Asterisk Manager Interface, allows a connected application to access files outside of the asterisk configuration directory, aka Directory Traversal. Published: December 05, 2022; 4:15:10 PM -0500 |
V3.1: 4.9 MEDIUM V2.0:(not available) |
CVE-2022-42705 |
A use-after-free in res_pjsip_pubsub.c in Sangoma Asterisk 16.28, 18.14, 19.6, and certified/18.9-cert2 may allow a remote authenticated attacker to crash Asterisk (denial of service) by performing activity on a subscription via a reliable transport at the same time that Asterisk is also performing activity on that subscription. Published: December 05, 2022; 4:15:10 PM -0500 |
V3.1: 6.5 MEDIUM V2.0:(not available) |
CVE-2022-37325 |
In Sangoma Asterisk through 16.28.0, 17.x and 18.x through 18.14.0, and 19.x through 19.6.0, an incoming Setup message to addons/ooh323c/src/ooq931.c with a malformed Calling or Called Party IE can cause a crash. Published: December 05, 2022; 4:15:10 PM -0500 |
V3.1: 7.5 HIGH V2.0:(not available) |
CVE-2021-46837 |
res_pjsip_t38 in Sangoma Asterisk 16.x before 16.16.2, 17.x before 17.9.3, and 18.x before 18.2.2, and Certified Asterisk before 16.8-cert7, allows an attacker to trigger a crash by sending an m=image line and zero port in a response to a T.38 re-invite initiated by Asterisk. This is a re-occurrence of the CVE-2019-15297 symptoms but not for exactly the same reason. The crash occurs because there is an append operation relative to the active topology, but this should instead be a replace operation. Published: August 30, 2022; 3:15:07 AM -0400 |
V3.1: 6.5 MEDIUM V2.0:(not available) |
CVE-2022-38663 |
Jenkins Git Plugin 4.11.4 and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log provided by the Git Username and Password (`gitUsernamePassword`) credentials binding. Published: August 23, 2022; 1:15:15 PM -0400 |
V3.1: 6.5 MEDIUM V2.0:(not available) |
CVE-2021-3652 |
A flaw was found in 389-ds-base. If an asterisk is imported as password hashes, either accidentally or maliciously, then instead of being inactive, any password will successfully match during authentication. This flaw allows an attacker to successfully authenticate as a user whose password was disabled. Published: April 18, 2022; 1:15:15 PM -0400 |
V3.1: 6.5 MEDIUM V2.0: 6.4 MEDIUM |