CVE-2023-37457
CVSS V2 None
CVSS V3 None
Description
Asterisk is an open source private branch exchange and telephony toolkit. In Asterisk versions 18.20.0 and prior, 20.5.0 and prior, and 21.0.0; as well as ceritifed-asterisk 18.9-cert5 and prior, the 'update' functionality of the PJSIP_HEADER dialplan function can exceed the available buffer space for storing the new value of a header. By doing so this can overwrite memory or cause a crash. This is not externally exploitable, unless dialplan is explicitly written to update a header based on data from an outside source. If the 'update' functionality is not used the vulnerability does not occur. A patch is available at commit a1ca0268254374b515fa5992f01340f7717113fa.
Overview
- CVE ID
- CVE-2023-37457
- Assigner
- GitHub_M
- Vulnerability Status
- PUBLISHED
- Published Version
- 2023-12-14T19:43:30.945Z
- Last Modified Date
- 2023-12-14T19:43:30.945Z
Weakness Enumerations
References
| Reference URL | Reference Tags |
|---|---|
| https://github.com/asterisk/asterisk/security/advisories/GHSA-98rc-4j27-74hh | x_refsource_CONFIRM |
| https://github.com/asterisk/asterisk/commit/a1ca0268254374b515fa5992f01340f7717113fa | x_refsource_MISC |
| https://lists.debian.org/debian-lts-announce/2023/12/msg00019.html |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2023-37457 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-37457 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2024-06-25 01:14:10 | Added to TrackCVE |