216.73.217.86

CVE-2025-49832

· Published 01/08/2025 18:15 · Modified 01/08/2025 18:15

Labels: CVE-2025-49832 2025-08-01CVE-2025-49832CWE-476[email protected]

Essential information

Published
01/08/2025 18:15
Modified
01/08/2025 18:15
Author
Creator
CVSS
6.5 MEDIUM (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVSS metrics

Description

Asterisk is an open source private branch exchange and telephony toolkit. In versions up to and including 18.26.2, between 20.00.0 and 20.15.0, 20.7-cert6, 21.00.0, 22.00.0 through 22.5.0, there is a remote DoS and possible RCE condition in `asterisk/res/res_stir_shaken /verification.c` that can be exploited when an attacker can set an arbitrary Identity header, or STIR/SHAKEN is enabled, with verification set in the SIP profile associated with the endpoint to be attacked. This is fixed in versions 18.26.3, 20.7-cert6, 20.15.1, 21.10.1 and 22.5.1.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
asterisk / asterisk cpe:2.3:a:asterisk:asterisk:<18.26.3:*:*:*:*:*:*:*
asterisk / asterisk cpe:2.3:a:asterisk:asterisk:20.0.0-20.15.0:*:*:*:*:*:*:*
asterisk / asterisk cpe:2.3:a:asterisk:asterisk:20.7-cert6:*:*:*:*:*:*:*
asterisk / asterisk cpe:2.3:a:asterisk:asterisk:21.0.0:*:*:*:*:*:*:*
asterisk / asterisk cpe:2.3:a:asterisk:asterisk:22.0.0-22.5.0:*:*:*:*:*:*:*

References