Vulnerability Description
The SIP channel driver in Asterisk Open Source 1.8.x before 1.8.20.2, 10.x before 10.12.2, and 11.x before 11.2.2; Certified Asterisk 1.8.15 before 1.8.15-cert2; Asterisk Business Edition (BE) C.3.x before C.3.8.1; and Asterisk Digiumphones 10.x-digiumphones before 10.12.2-digiumphones exhibits different behavior for invalid INVITE, SUBSCRIBE, and REGISTER transactions depending on whether the user account exists, which allows remote attackers to enumerate account names by (1) reading HTTP status codes, (2) reading additional text in a 403 (aka Forbidden) response, or (3) observing whether certain retransmissions occur.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Asterisk | Open Source | 1.8.0 |
| Asterisk | Certified Asterisk | 1.8.15 |
| Asterisk | Business Edition | c.3.2.2 |
| Asterisk | Digiumphones | 10.0.0 |
Related Weaknesses (CWE)
References
- http://downloads.asterisk.org/pub/security/AST-2013-003.htmlVendor Advisory
- https://issues.asterisk.org/jira/browse/ASTERISK-21013Vendor Advisory
- http://downloads.asterisk.org/pub/security/AST-2013-003.htmlVendor Advisory
- https://issues.asterisk.org/jira/browse/ASTERISK-21013Vendor Advisory
FAQ
What is CVE-2013-2264?
CVE-2013-2264 is a vulnerability with a CVSS score of 5.0 (MEDIUM). The SIP channel driver in Asterisk Open Source 1.8.x before 1.8.20.2, 10.x before 10.12.2, and 11.x before 11.2.2; Certified Asterisk 1.8.15 before 1.8.15-cert2; Asterisk Business Edition (BE) C.3.x b...
How severe is CVE-2013-2264?
CVE-2013-2264 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2013-2264?
Check the references section above for vendor advisories and patch information. Affected products include: Asterisk Open Source, Asterisk Certified Asterisk, Asterisk Business Edition, Asterisk Digiumphones.