CVE-2021-46837

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-46837
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-46837.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2021-46837
Related
Published
2022-08-30T07:15:07Z
Modified
2024-10-12T08:42:06.572655Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

respjsipt38 in Sangoma Asterisk 16.x before 16.16.2, 17.x before 17.9.3, and 18.x before 18.2.2, and Certified Asterisk before 16.8-cert7, allows an attacker to trigger a crash by sending an m=image line and zero port in a response to a T.38 re-invite initiated by Asterisk. This is a re-occurrence of the CVE-2019-15297 symptoms but not for exactly the same reason. The crash occurs because there is an append operation relative to the active topology, but this should instead be a replace operation.

References

Affected packages

Debian:11 / asterisk

Package

Name
asterisk
Purl
pkg:deb/debian/asterisk?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1:16.28.0~dfsg-0+deb11u1

Affected versions

1:16.*

1:16.16.1~dfsg-1
1:16.16.1~dfsg-1+deb11u1~bpo10+1
1:16.16.1~dfsg-1+deb11u1
1:16.16.1~dfsg-2
1:16.16.1~dfsg-3
1:16.16.1~dfsg-4
1:16.16.1~dfsg+~2.10-1
1:16.16.1~dfsg+~2.10-2
1:16.23.0~dfsg+~2.10-1
1:16.23.0~dfsg+~cs6.10.20220309-1
1:16.23.0~dfsg+~cs6.10.20220309-2
1:16.23.0~dfsg+~cs6.10.40431411-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/asterisk/asterisk

Affected ranges

Type
GIT
Repo
https://github.com/asterisk/asterisk
Events