CVE-2018-12227

{"id": "CVE-2018-12227", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2018-06-12T04:29:00.220", "references": [{"url": "http://downloads.asterisk.org/pub/security/AST-2018-008.html", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/bid/104455", "tags": ["Third Party Advisory", "VDB Entry"], "source": "cve@mitre.org"}, {"url": "https://issues.asterisk.org/jira/browse/ASTERISK-27818", "tags": ["Patch", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://security.gentoo.org/glsa/201811-11", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.debian.org/security/2018/dsa-4320", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "http://downloads.asterisk.org/pub/security/AST-2018-008.html", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.securityfocus.com/bid/104455", "tags": ["Third Party Advisory", "VDB Entry"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://issues.asterisk.org/jira/browse/ASTERISK-27818", "tags": ["Patch", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.gentoo.org/glsa/201811-11", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.debian.org/security/2018/dsa-4320", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Asterisk Open Source 13.x before 13.21.1, 14.x before 14.7.7, and 15.x before 15.4.1 and Certified Asterisk 13.18-cert before 13.18-cert4 and 13.21-cert before 13.21-cert2. When endpoint specific ACL rules block a SIP request, they respond with a 403 forbidden. However, if an endpoint is not identified, then a 401 unauthorized response is sent. This vulnerability just discloses which requests hit a defined endpoint. The ACL rules cannot be bypassed to gain access to the disclosed endpoints."}, {"lang": "es", "value": "Se ha descubierto un problema en Asterisk Open Source en versiones 13.x anteriores a la 13.21.1; versiones 14.x anteriores a la 14.7.7 y las versiones 15.x anteriores a la 15.4.1, as\u00ed como Certified Asterisk en versiones 13.18-cert anteriores a la 13.18-cert4 y 13.21-cert anteriores a la 13.21-cert2. Cuando las reglas de lista de control de acceso (ACL) espec\u00edficas del endpoint bloquean una petici\u00f3n SIP, responden con un mensaje de error 403 prohibido. Sin embargo, si no se identifica un endpoint, se env\u00eda una respuesta 401 no autorizada. Esta vulnerabilidad s\u00f3lo revela qu\u00e9 peticiones llegan a un endpoint definido. Las reglas de lista de control de acceso (ACL) no pueden omitirse para obtener acceso a los endpoints revelados."}], "lastModified": "2024-11-21T03:44:49.003", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:digium:asterisk:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "85FB9D68-8BEE-40F5-8175-DC62C0EAFE8F", "versionEndExcluding": "13.21.1", "versionStartIncluding": "13.0.0"}, {"criteria": "cpe:2.3:a:digium:asterisk:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "33B74E57-BD3C-4C54-A27C-F32DEF133390", "versionEndExcluding": "14.7.7", "versionStartExcluding": "14.0.0"}, {"criteria": "cpe:2.3:a:digium:asterisk:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "41536B2F-2D75-406D-95CC-64889838F0B1", "versionEndExcluding": "15.4.1", "versionStartIncluding": "15.0.0"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:digium:certified_asterisk:13.18:cert1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "05795EED-0473-4806-A9AD-FD92212CCC77"}, {"criteria": "cpe:2.3:a:digium:certified_asterisk:13.18:cert2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C3F701AA-E842-4680-9747-000C3A4F6E4B"}, {"criteria": "cpe:2.3:a:digium:certified_asterisk:13.18:cert3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4B0FC294-F910-491B-9DEF-9FFEACA208C7"}, {"criteria": "cpe:2.3:a:digium:certified_asterisk:13.21:cert1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B7EE2BD3-51DC-4DA5-A5F2-6275F5277BE7"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}