CVE-2022-26498

An issue was discovered in Asterisk through 19.x. When using STIR/SHAKEN, it is possible to download files that are not certificates. These files could be much larger than what one would expect to download, leading to Resource Exhaustion. This is fixed in 16.25.2, 18.11.2, and 19.3.2.

Published: Apr 15, 2022
Updated: Apr 14, 2023
CVE: CVE-2022-26498
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:N/A:P

CWEs:

CWE-400

Affected Software
References

Software	From	Fixed in
digium / asterisk	19.0.0	19.3.1.x
digium / asterisk	16.15.0	16.25.1.x
digium / asterisk	18.0	18.11.2
debian / debian_linux	10.0	10.0.x
debian / debian_linux	11.0	11.0.x

http://packetstormsecurity.com/files/166744/Asterisk-Project-Security-Advisory-AST-2022-001.html
http://packetstormsecurity.com/files/172139/Shannon-Baseband-chatroom-SDP-Attribute-Memory-Corruption.html
https://downloads.asterisk.org/pub/security/
https://downloads.asterisk.org/pub/security/AST-2022-001.html
https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html
https://www.debian.org/security/2022/dsa-5285

Vulnerability Database

289,697

CVE-2022-26498