2281495 – (CVE-2024-35190) CVE-2024-35190 asterisk: wrongly matches ALL unauthorized SIP requests

Bug 2281495 (CVE-2024-35190) - CVE-2024-35190 asterisk: wrongly matches ALL unauthorized SIP requests

Summary: CVE-2024-35190 asterisk: wrongly matches ALL unauthorized SIP requests

Keywords:
Status:	NEW
Alias:	CVE-2024-35190
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2281496 2281497
Blocks:
TreeView+	depends on / blocked

Reported:	2024-05-19 14:51 UTC by ybuenos
Modified:	2024-05-19 14:52 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description ybuenos 2024-05-19 14:51:29 UTC

Asterisk is an open source private branch exchange and telephony toolkit. After upgrade to 18.23.0, ALL unauthorized SIP requests are identified as PJSIP Endpoint of local asterisk server. This vulnerability is fixed in 18.23.1, 20.8.1, and 21.3.1.

https://github.com/asterisk/asterisk/commit/85241bd22936cc15760fd1f65d16c98be7aeaf6d
https://github.com/asterisk/asterisk/pull/600
https://github.com/asterisk/asterisk/pull/602
https://github.com/asterisk/asterisk/security/advisories/GHSA-qqxj-v78h-hrf9

Comment 1 ybuenos 2024-05-19 14:52:20 UTC

Created asterisk tracking bugs for this issue:

Affects: epel-all [bug 2281496]
Affects: fedora-all [bug 2281497]

Note You need to log in before you can comment on or make changes to this bug.