Vulnerability Description
res_pjsip_t38 in Sangoma Asterisk 16.x before 16.16.2, 17.x before 17.9.3, and 18.x before 18.2.2, and Certified Asterisk before 16.8-cert7, allows an attacker to trigger a crash by sending an m=image line and zero port in a response to a T.38 re-invite initiated by Asterisk. This is a re-occurrence of the CVE-2019-15297 symptoms but not for exactly the same reason. The crash occurs because there is an append operation relative to the active topology, but this should instead be a replace operation.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Asterisk | Certified Asterisk | 16.8.0 |
| Digium | Asterisk | >= 16.0.0, < 16.16.2 |
| Debian | Debian Linux | 9.0 |
Related Weaknesses (CWE)
References
- https://downloads.asterisk.org/pub/security/AST-2021-006.htmlVendor Advisory
- https://lists.debian.org/debian-lts-announce/2022/11/msg00021.htmlMailing ListThird Party Advisory
- https://www.debian.org/security/2022/dsa-5285Third Party Advisory
- https://downloads.asterisk.org/pub/security/AST-2021-006.htmlVendor Advisory
- https://lists.debian.org/debian-lts-announce/2022/11/msg00021.htmlMailing ListThird Party Advisory
- https://www.debian.org/security/2022/dsa-5285Third Party Advisory
FAQ
What is CVE-2021-46837?
CVE-2021-46837 is a vulnerability with a CVSS score of 6.5 (MEDIUM). res_pjsip_t38 in Sangoma Asterisk 16.x before 16.16.2, 17.x before 17.9.3, and 18.x before 18.2.2, and Certified Asterisk before 16.8-cert7, allows an attacker to trigger a crash by sending an m=image...
How severe is CVE-2021-46837?
CVE-2021-46837 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-46837?
Check the references section above for vendor advisories and patch information. Affected products include: Asterisk Certified Asterisk, Digium Asterisk, Debian Debian Linux.