VYPR
Unrated severityNVD Advisory· Published Dec 14, 2023· Updated Feb 13, 2025

Asterisk's PJSIP_HEADER dialplan function can overwrite memory/cause crash when using 'update'

CVE-2023-37457

Description

Asterisk is an open source private branch exchange and telephony toolkit. In Asterisk versions 18.20.0 and prior, 20.5.0 and prior, and 21.0.0; as well as ceritifed-asterisk 18.9-cert5 and prior, the 'update' functionality of the PJSIP_HEADER dialplan function can exceed the available buffer space for storing the new value of a header. By doing so this can overwrite memory or cause a crash. This is not externally exploitable, unless dialplan is explicitly written to update a header based on data from an outside source. If the 'update' functionality is not used the vulnerability does not occur. A patch is available at commit a1ca0268254374b515fa5992f01340f7717113fa.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Asterisk/Asteriskllm-fuzzy2 versions
    <=18.20.0, <=20.5.0, =21.0.0, <=18.9-cert5+ 1 more
    • (no CPE)range: <=18.20.0, <=20.5.0, =21.0.0, <=18.9-cert5
    • (no CPE)range: <= 18.20.0

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.