CVE-2011-0495

Vulnerability Description

Stack-based buffer overflow in the ast_uri_encode function in main/utils.c in Asterisk Open Source before 1.4.38.1, 1.4.39.1, 1.6.1.21, 1.6.2.15.1, 1.6.2.16.1, 1.8.1.2, 1.8.2.; and Business Edition before C.3.6.2; when running in pedantic mode allows remote authenticated users to execute arbitrary code via crafted caller ID data in vectors involving the (1) SIP channel driver, (2) URIENCODE dialplan function, or (3) AGI dialplan function.

CVSS Score

Affected Products

Related Weaknesses (CWE)

References

• http://downloads.asterisk.org/pub/security/AST-2011-001-1.6.2.diffPatchVendor Advisory
• http://downloads.asterisk.org/pub/security/AST-2011-001.htmlVendor Advisory
• http://lists.fedoraproject.org/pipermail/package-announce/2011-February/053689.hThird Party Advisory
• http://lists.fedoraproject.org/pipermail/package-announce/2011-February/053713.hThird Party Advisory
• http://osvdb.org/70518Broken Link
• http://secunia.com/advisories/42935Third Party Advisory
• http://secunia.com/advisories/43119Third Party Advisory
• http://secunia.com/advisories/43373Third Party Advisory
• http://www.debian.org/security/2011/dsa-2171Third Party Advisory
• http://www.securityfocus.com/archive/1/515781/100/0/threadedThird Party AdvisoryVDB Entry
• http://www.securityfocus.com/bid/45839Third Party AdvisoryVDB Entry
• http://www.vupen.com/english/advisories/2011/0159Permissions Required
• http://www.vupen.com/english/advisories/2011/0281Permissions Required
• http://www.vupen.com/english/advisories/2011/0449Permissions Required
• https://exchange.xforce.ibmcloud.com/vulnerabilities/64831Third Party AdvisoryVDB Entry