CVE-2019-18976
Severity CVSS v4.0:
Pending analysis
Type:
CWE-476
NULL Pointer Dereference
Publication date:
22/11/2019
Last modified:
03/06/2022
Description
An issue was discovered in res_pjsip_t38.c in Sangoma Asterisk through 13.x and Certified Asterisk through 13.21-x. If it receives a re-invite initiating T.38 faxing and has a port of 0 and no c line in the SDP, a NULL pointer dereference and crash will occur. This is different from CVE-2019-18940.
Impact
Base Score 3.x
7.50
Severity 3.x
HIGH
Base Score 2.0
5.00
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:digium:asterisk:*:*:*:*:*:*:*:* | 13.0.0 (including) | 13.29.1 (including) |
| cpe:2.3:a:digium:certified_asterisk:13.21:*:*:*:*:*:*:* | ||
| cpe:2.3:a:digium:certified_asterisk:13.21:cert1:*:*:*:*:*:* | ||
| cpe:2.3:a:digium:certified_asterisk:13.21:cert2:*:*:*:*:*:* | ||
| cpe:2.3:a:digium:certified_asterisk:13.21:cert3:*:*:*:*:*:* | ||
| cpe:2.3:a:digium:certified_asterisk:13.21:cert4:*:*:*:*:*:* | ||
| cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://downloads.asterisk.org/pub/security/AST-2019-008.html
- https://lists.debian.org/debian-lts-announce/2022/04/msg00001.html
- https://packetstormsecurity.com/files/155436/Asterisk-Project-Security-Advisory-AST-2019-008.html
- https://seclists.org/fulldisclosure/2019/Nov/20
- https://www.asterisk.org/downloads/security-advisories
- https://www.cybersecurity-help.cz/vdb/SB2019112218?affChecked=1