Vulnerability Database

289,697

Total vulnerabilities in the database

CVE-2016-9938

An issue was discovered in Asterisk Open Source 11.x before 11.25.1, 13.x before 13.13.1, and 14.x before 14.2.1 and Certified Asterisk 11.x before 11.6-cert16 and 13.x before 13.8-cert4. The chan_sip channel driver has a liberal definition for whitespace when attempting to strip the content between a SIP header name and a colon character. Rather than following RFC 3261 and stripping only spaces and horizontal tabs, Asterisk treats any non-printable ASCII character as if it were whitespace. This means that headers such as Contact\x01: will be seen as a valid Contact header. This mostly does not pose a problem until Asterisk is placed in tandem with an authenticating SIP proxy. In such a case, a crafty combination of valid and invalid To headers can cause a proxy to allow an INVITE request into Asterisk without authentication since it believes the request is an in-dialog request. However, because of the bug described above, the request will look like an out-of-dialog request to Asterisk. Asterisk will then process the request as a new call. The result is that Asterisk can process calls from unvetted sources without any authentication. If you do not use a proxy for authentication, then this issue does not affect you. If your proxy is dialog-aware (meaning that the proxy keeps track of what dialogs are currently valid), then this issue does not affect you. If you use chan_pjsip instead of chan_sip, then this issue does not affect you.

  • Published: Dec 12, 2016
  • Updated: Apr 13, 2023
  • CVE: CVE-2016-9938
  • Severity: Medium
  • Exploit:

CVSS v3:

  • Severity: Medium
  • Score: 5.3
  • AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CVSS v2:

  • Severity: Medium
  • Score: 5
  • AV:N/AC:L/Au:N/C:N/I:P/A:N

CWEs:

OWASP TOP 10:

Software From Fixed in
digium / asterisk 13.1.0 13.1.0.x
digium / asterisk 13.2.1 13.2.1.x
digium / asterisk 13.8.0-rc1 13.8.0-rc1.x
digium / asterisk 11.14.0 11.14.0.x
digium / asterisk 13.7.1 13.7.1.x
digium / asterisk 11.2.0-rc2 11.2.0-rc2.x
digium / asterisk 11.21.0 11.21.0.x
digium / asterisk 11.22.0 11.22.0.x
digium / asterisk 11.10.2 11.10.2.x
digium / asterisk 11.0.0-rc2 11.0.0-rc2.x
digium / asterisk 11.2.0 11.2.0.x
digium / asterisk 11.1.1 11.1.1.x
digium / asterisk 13.1.1 13.1.1.x
digium / asterisk 11.21.1 11.21.1.x
digium / asterisk 13.4.0 13.4.0.x
digium / asterisk 11.10.1 11.10.1.x
digium / asterisk 11.16.0 11.16.0.x
digium / asterisk 11.11.0 11.11.0.x
digium / asterisk 11.12.1 11.12.1.x
digium / asterisk 14.0.0-beta1 14.0.0-beta1.x
digium / asterisk 11.23.0-rc1 11.23.0-rc1.x
digium / asterisk 13.2.0 13.2.0.x
digium / asterisk 11.0.2 11.0.2.x
digium / asterisk 11.2.0-rc1 11.2.0-rc1.x
digium / asterisk 11.0.0-beta1 11.0.0-beta1.x
digium / asterisk 11.18.0 11.18.0.x
digium / asterisk 11.17.0 11.17.0.x
digium / asterisk 13.3.2 13.3.2.x
digium / asterisk 13.0.1 13.0.1.x
digium / asterisk 11.7.0 11.7.0.x
digium / asterisk 11.22.0-rc1 11.22.0-rc1.x
digium / asterisk 13.7.0 13.7.0.x
digium / asterisk 14.1.1 14.1.1.x
digium / asterisk 11.23.1 11.23.1.x
digium / asterisk 11.12.0 11.12.0.x
digium / asterisk 13.10.0-rc1 13.10.0-rc1.x
digium / asterisk 13.10.0 13.10.0.x
digium / asterisk 11.15.1 11.15.1.x
digium / asterisk 11.0.0 11.0.0.x
digium / asterisk 11.10.0 11.10.0.x
digium / asterisk 13.8.0 13.8.0.x
digium / asterisk 13.11.1 13.11.1.x
digium / asterisk 11.25.0 11.25.0.x
digium / asterisk 11.4.0 11.4.0.x
digium / asterisk 13.11.0 13.11.0.x
digium / asterisk 11.13.0 11.13.0.x
digium / asterisk 13.9.0 13.9.0.x
digium / asterisk 13.12.0 13.12.0.x
digium / asterisk 13.3.0 13.3.0.x
digium / asterisk 11.24.1 11.24.1.x
digium / asterisk 14.0.0-rc1 14.0.0-rc1.x
digium / asterisk 13.8.1 13.8.1.x
digium / asterisk 13.12.2 13.12.2.x
digium / asterisk 11.1.0-rc3 11.1.0-rc3.x
digium / asterisk 13.0.0-beta1 13.0.0-beta1.x
digium / asterisk 11.8.1 11.8.1.x
digium / asterisk 14.2.0 14.2.0.x
digium / asterisk 14.0.0 14.0.0.x
digium / asterisk 14.1.2 14.1.2.x
digium / asterisk 11.19.0 11.19.0.x
digium / asterisk 11.1.2 11.1.2.x
digium / asterisk 13.0.0 13.0.0.x
digium / asterisk 13.13.0 13.13.0.x
digium / asterisk 11.21.2 11.21.2.x
digium / asterisk 11.14.2 11.14.2.x
digium / asterisk 13.9.1 13.9.1.x
digium / asterisk 14.0.2 14.0.2.x
digium / asterisk 11.5.0 11.5.0.x
digium / asterisk 11.15.0 11.15.0.x
digium / asterisk 13.3.1 13.3.1.x
digium / asterisk 11.2.2 11.2.2.x
digium / asterisk 14.0.0-rc2 14.0.0-rc2.x
digium / asterisk 11.14.1 11.14.1.x
digium / asterisk 13.0.2 13.0.2.x
digium / asterisk 11.1.0 11.1.0.x
digium / asterisk 13.7.2 13.7.2.x
digium / asterisk 11.17.1 11.17.1.x
digium / asterisk 11.0.0-beta2 11.0.0-beta2.x
digium / asterisk 11.1.0-rc1 11.1.0-rc1.x
digium / asterisk 13.11.2 13.11.2.x
digium / asterisk 14.0.0-beta2 14.0.0-beta2.x
digium / asterisk 14.0.1 14.0.1.x
digium / asterisk 11.0.1 11.0.1.x
digium / asterisk 11.8.0 11.8.0.x
digium / asterisk 13.12.1 13.12.1.x
digium / asterisk 11.6.0 11.6.0.x
digium / asterisk 13.5.0 13.5.0.x
digium / asterisk 11.23.0 11.23.0.x
digium / asterisk 13.8.2 13.8.2.x
digium / asterisk 13.0.0-beta3 13.0.0-beta3.x
digium / asterisk 13.6.0 13.6.0.x
digium / asterisk 14.1.0 14.1.0.x
digium / asterisk 11.24.0 11.24.0.x
digium / asterisk 11.9.0 11.9.0.x
digium / asterisk 11.2.1 11.2.1.x
digium / asterisk 11.5.1 11.5.1.x
digium / asterisk 11.3.0 11.3.0.x
digium / asterisk 11.13.1 11.13.1.x
digium / asterisk 11.20.0 11.20.0.x
digium / asterisk 13.0.0-beta2 13.0.0-beta2.x
digium / asterisk 11.6.1 11.6.1.x
digium / asterisk 11.0.0-rc1 11.0.0-rc1.x
digium / certified_asterisk 11.6-cert13 11.6-cert13.x
digium / certified_asterisk 11.4.0-rc3 11.4.0-rc3.x
digium / certified_asterisk 11.6-cert8 11.6-cert8.x
digium / certified_asterisk 11.6-cert2 11.6-cert2.x
digium / certified_asterisk 11.1.0-rc3 11.1.0-rc3.x
digium / certified_asterisk 11.6-cert7 11.6-cert7.x
digium / certified_asterisk 11.6-cert4 11.6-cert4.x
digium / certified_asterisk 11.3.0-rc2 11.3.0-rc2.x
digium / certified_asterisk 11.6-cert3 11.6-cert3.x
digium / certified_asterisk 11.2.0-rc1 11.2.0-rc1.x
digium / certified_asterisk 11.3.0 11.3.0.x
digium / certified_asterisk 11.0.0 11.0.0.x
digium / certified_asterisk 11.6-cert9 11.6-cert9.x
digium / certified_asterisk 11.0.0-rc1 11.0.0-rc1.x
digium / certified_asterisk 11.5.0-rc2 11.5.0-rc2.x
digium / certified_asterisk 11.6-cert12 11.6-cert12.x
digium / certified_asterisk 11.6-cert1 11.6-cert1.x
digium / certified_asterisk 11.4.0 11.4.0.x
digium / certified_asterisk 11.4.0-rc1 11.4.0-rc1.x
digium / certified_asterisk 11.6.0 11.6.0.x
digium / certified_asterisk 11.6-cert1_rc2 11.6-cert1_rc2.x
digium / certified_asterisk 11.3.0-rc1 11.3.0-rc1.x
digium / certified_asterisk 11.2.0-rc2 11.2.0-rc2.x
digium / certified_asterisk 11.1.0-rc2 11.1.0-rc2.x
digium / certified_asterisk 11.6-cert14 11.6-cert14.x
digium / certified_asterisk 11.6-cert15 11.6-cert15.x
digium / certified_asterisk 11.6.0-rc1 11.6.0-rc1.x
digium / certified_asterisk 11.4.0-rc2 11.4.0-rc2.x
digium / certified_asterisk 11.0.0-rc2 11.0.0-rc2.x
digium / certified_asterisk 11.5.0-rc1 11.5.0-rc1.x
digium / certified_asterisk 11.6-cert1_rc1 11.6-cert1_rc1.x
digium / certified_asterisk 11.6-cert11 11.6-cert11.x
digium / certified_asterisk 11.2.0 11.2.0.x
digium / certified_asterisk 11.6-cert6 11.6-cert6.x
digium / certified_asterisk 11.6-cert10 11.6-cert10.x
digium / certified_asterisk 11.5.0 11.5.0.x
digium / certified_asterisk 11.1.0-rc1 11.1.0-rc1.x
digium / certified_asterisk 11.1.0 11.1.0.x
digium / certified_asterisk 11.6-cert5 11.6-cert5.x
digium / certified_asterisk 11.6.0-rc2 11.6.0-rc2.x