CVE-2018-12227 — MEDIUM (5.3)

Q: How severe is CVE-2018-12227?

CVE-2018-12227 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2018-12227?

Check the references section above for vendor advisories and patch information. Affected products include: Digium Asterisk, Digium Certified Asterisk, Debian Debian Linux.

Vulnerability Description

An issue was discovered in Asterisk Open Source 13.x before 13.21.1, 14.x before 14.7.7, and 15.x before 15.4.1 and Certified Asterisk 13.18-cert before 13.18-cert4 and 13.21-cert before 13.21-cert2. When endpoint specific ACL rules block a SIP request, they respond with a 403 forbidden. However, if an endpoint is not identified, then a 401 unauthorized response is sent. This vulnerability just discloses which requests hit a defined endpoint. The ACL rules cannot be bypassed to gain access to the disclosed endpoints.

CVSS Score

5.3

MEDIUM

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Digium	Asterisk	>= 13.0.0, < 13.21.1
Digium	Certified Asterisk	13.18
Debian	Debian Linux	9.0

Related Weaknesses (CWE)

CWE-200

References

http://downloads.asterisk.org/pub/security/AST-2018-008.htmlVendor Advisory
http://www.securityfocus.com/bid/104455Third Party AdvisoryVDB Entry
https://issues.asterisk.org/jira/browse/ASTERISK-27818PatchVendor Advisory
https://security.gentoo.org/glsa/201811-11Third Party Advisory
https://www.debian.org/security/2018/dsa-4320Third Party Advisory
http://downloads.asterisk.org/pub/security/AST-2018-008.htmlVendor Advisory
http://www.securityfocus.com/bid/104455Third Party AdvisoryVDB Entry
https://issues.asterisk.org/jira/browse/ASTERISK-27818PatchVendor Advisory
https://security.gentoo.org/glsa/201811-11Third Party Advisory
https://www.debian.org/security/2018/dsa-4320Third Party Advisory

FAQ

What is CVE-2018-12227?

CVE-2018-12227 is a vulnerability with a CVSS score of 5.3 (MEDIUM). An issue was discovered in Asterisk Open Source 13.x before 13.21.1, 14.x before 14.7.7, and 15.x before 15.4.1 and Certified Asterisk 13.18-cert before 13.18-cert4 and 13.21-cert before 13.21-cert2. ...

How severe is CVE-2018-12227?

CVE-2018-12227 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-12227?

Check the references section above for vendor advisories and patch information. Affected products include: Digium Asterisk, Digium Certified Asterisk, Debian Debian Linux.