CVE-2018-17281
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2018-17281
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-17281.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2018-17281
- Downstream
- Published
- 2018-09-24T22:29:01Z
- Modified
- 2025-10-15T04:35:43Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
There is a stack consumption vulnerability in the reshttpwebsocket.so module of Asterisk through 13.23.0, 14.7.x through 14.7.7, and 15.x through 15.6.0 and Certified Asterisk through 13.21-cert2. It allows an attacker to crash Asterisk via a specially crafted HTTP request to upgrade the connection to a websocket.
- References
-
- http://downloads.asterisk.org/pub/security/AST-2018-009.html
- http://packetstormsecurity.com/files/149453/Asterisk-Project-Security-Advisory-AST-2018-009.html
- http://seclists.org/fulldisclosure/2018/Sep/31
- http://www.securityfocus.com/bid/105389
- http://www.securitytracker.com/id/1041694
- https://issues.asterisk.org/jira/browse/ASTERISK-28013
- https://lists.debian.org/debian-lts-announce/2018/09/msg00034.html
- https://seclists.org/bugtraq/2018/Sep/53
- https://security.gentoo.org/glsa/201811-11
- https://www.debian.org/security/2018/dsa-4320
Affected packages
Git / github.com/asterisk/asterisk
Affected ranges
- Type
- GIT
- Repo
- https://github.com/asterisk/asterisk
- Events
-
Last affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedIntroducedLast affectedIntroducedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedIntroducedLast affected