Home > Vulnerability Database > CVE-2023-37457

Mend.io Vulnerability Database

CVE-2023-37457

Good to know:

Date: December 14, 2023

Asterisk is an open source private branch exchange and telephony toolkit. In Asterisk versions 18.20.0 and prior, 20.5.0 and prior, and 21.0.0; as well as ceritifed-asterisk 18.9-cert5 and prior, the 'update' functionality of the PJSIP_HEADER dialplan function can exceed the available buffer space for storing the new value of a header. By doing so this can overwrite memory or cause a crash. This is not externally exploitable, unless dialplan is explicitly written to update a header based on data from an outside source. If the 'update' functionality is not used the vulnerability does not occur. A patch is available at commit a1ca0268254374b515fa5992f01340f7717113fa.

Language: C

Severity Score

8.2

Related Resources (6)

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-37457

Url: https://github.com/asterisk/asterisk/security/advisories/GHSA-98rc-4j27-74hh

Url: https://github.com/asterisk/asterisk/commit/a1ca0268254374b515fa5992f01340f7717113fa

Url: https://lists.debian.org/debian-lts-announce/2023/12/msg00019.html

Url: https://security-tracker.debian.org/tracker/CVE-2023-37457

Url: https://www.mend.io/vulnerability-database/CVE-2023-37457

Severity Score

8.2

Weakness Type (CWE)

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

CWE-120

Top Fix

Upgrade Version

Upgrade to version 18.9-cert6,18.20.1,20.5.1,21.0.1

Learn More

CVSS v3.1

Base Score:	8.2
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	LOW
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2023-37457

Good to know:

Date: December 14, 2023

Language: C

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?