First published: Fri Mar 29 2013(Updated: )
main/http.c in the HTTP server in Asterisk Open Source 1.8.x before 1.8.20.2, 10.x before 10.12.2, and 11.x before 11.2.2; Certified Asterisk 1.8.15 before 1.8.15-cert2; and Asterisk Digiumphones 10.x-digiumphones before 10.12.2-digiumphones does not properly restrict Content-Length values, which allows remote attackers to conduct stack-consumption attacks and cause a denial of service (daemon crash) via a crafted HTTP POST request. NOTE: this vulnerability exists because of an incorrect fix for CVE-2012-5976.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Asterisk | =1.8.0 | |
Asterisk | =1.8.0-beta1 | |
Asterisk | =1.8.0-beta2 | |
Asterisk | =1.8.0-beta3 | |
Asterisk | =1.8.0-beta4 | |
Asterisk | =1.8.0-beta5 | |
Asterisk | =1.8.0-rc2 | |
Asterisk | =1.8.0-rc3 | |
Asterisk | =1.8.0-rc4 | |
Asterisk | =1.8.0-rc5 | |
Asterisk | =1.8.1 | |
Asterisk | =1.8.1-rc1 | |
Asterisk | =1.8.1.1 | |
Asterisk | =1.8.1.2 | |
Asterisk | =1.8.2 | |
Asterisk | =1.8.2-rc1 | |
Asterisk | =1.8.2.1 | |
Asterisk | =1.8.2.2 | |
Asterisk | =1.8.2.3 | |
Asterisk | =1.8.2.4 | |
Asterisk | =1.8.3 | |
Asterisk | =1.8.3-rc1 | |
Asterisk | =1.8.3-rc2 | |
Asterisk | =1.8.3-rc3 | |
Asterisk | =1.8.3.1 | |
Asterisk | =1.8.3.2 | |
Asterisk | =1.8.3.3 | |
Asterisk | =1.8.4 | |
Asterisk | =1.8.4-rc1 | |
Asterisk | =1.8.4-rc2 | |
Asterisk | =1.8.4-rc3 | |
Asterisk | =1.8.4.1 | |
Asterisk | =1.8.4.2 | |
Asterisk | =1.8.4.3 | |
Asterisk | =1.8.4.4 | |
Asterisk | =1.8.5-rc1 | |
Asterisk | =1.8.5.0 | |
Asterisk | =1.8.6.0 | |
Asterisk | =1.8.6.0-rc1 | |
Asterisk | =1.8.6.0-rc2 | |
Asterisk | =1.8.6.0-rc3 | |
Asterisk | =1.8.7.0 | |
Asterisk | =1.8.7.0-rc1 | |
Asterisk | =1.8.7.0-rc2 | |
Asterisk | =1.8.7.1 | |
Asterisk | =1.8.7.2 | |
Asterisk | =1.8.8.0 | |
Asterisk | =1.8.8.0-rc1 | |
Asterisk | =1.8.8.0-rc2 | |
Asterisk | =1.8.8.0-rc3 | |
Asterisk | =1.8.8.0-rc4 | |
Asterisk | =1.8.8.0-rc5 | |
Asterisk | =1.8.8.1 | |
Asterisk | =1.8.8.2 | |
Asterisk | =1.8.9.0 | |
Asterisk | =1.8.9.0-rc1 | |
Asterisk | =1.8.9.0-rc2 | |
Asterisk | =1.8.9.0-rc3 | |
Asterisk | =1.8.9.1 | |
Asterisk | =1.8.9.2 | |
Asterisk | =1.8.9.3 | |
Asterisk | =1.8.10.0 | |
Asterisk | =1.8.10.0-rc1 | |
Asterisk | =1.8.10.0-rc2 | |
Asterisk | =1.8.10.0-rc3 | |
Asterisk | =1.8.10.0-rc4 | |
Asterisk | =1.8.10.1 | |
Asterisk | =1.8.11.0 | |
Asterisk | =1.8.11.0-rc2 | |
Asterisk | =1.8.11.0-rc3 | |
Asterisk | =1.8.11.1 | |
Asterisk | =1.8.12 | |
Asterisk | =1.8.12.0-rc1 | |
Asterisk | =1.8.12.0-rc2 | |
Asterisk | =1.8.12.0-rc3 | |
Asterisk | =1.8.12.1 | |
Asterisk | =1.8.12.2 | |
Asterisk | =1.8.13.0 | |
Asterisk | =1.8.13.0-rc1 | |
Asterisk | =1.8.13.0-rc2 | |
Asterisk | =1.8.13.1 | |
Asterisk | =1.8.14.0 | |
Asterisk | =1.8.14.0-rc1 | |
Asterisk | =1.8.14.0-rc2 | |
Asterisk | =1.8.14.1 | |
Asterisk | =1.8.15.0 | |
Asterisk | =1.8.15.0-rc1 | |
Asterisk | =1.8.15.1 | |
Asterisk | =1.8.16.0 | |
Asterisk | =1.8.16.0-rc1 | |
Asterisk | =1.8.16.0-rc2 | |
Asterisk | =1.8.17.0 | |
Asterisk | =1.8.17.0-rc1 | |
Asterisk | =1.8.17.0-rc2 | |
Asterisk | =1.8.17.0-rc3 | |
Asterisk | =1.8.18.0 | |
Asterisk | =1.8.18.0-rc1 | |
Asterisk | =1.8.18.1 | |
Asterisk | =1.8.19.0 | |
Asterisk | =1.8.19.0-rc1 | |
Asterisk | =1.8.19.0-rc3 | |
Asterisk | =1.8.19.1 | |
Asterisk | =1.8.20.0 | |
Asterisk | =1.8.20.0-rc1 | |
Asterisk | =1.8.20.0-rc2 | |
Asterisk | =1.8.20.1 | |
Asterisk | =10.0.0 | |
Asterisk | =10.0.0-beta1 | |
Asterisk | =10.0.0-beta2 | |
Asterisk | =10.0.0-rc1 | |
Asterisk | =10.0.0-rc2 | |
Asterisk | =10.0.0-rc3 | |
Asterisk | =10.0.1 | |
Asterisk | =10.1.0 | |
Asterisk | =10.1.0-rc1 | |
Asterisk | =10.1.0-rc2 | |
Asterisk | =10.1.1 | |
Asterisk | =10.1.2 | |
Asterisk | =10.1.3 | |
Asterisk | =10.2.0 | |
Asterisk | =10.2.0-rc1 | |
Asterisk | =10.2.0-rc2 | |
Asterisk | =10.2.0-rc3 | |
Asterisk | =10.2.0-rc4 | |
Asterisk | =10.2.1 | |
Asterisk | =10.3.0 | |
Asterisk | =10.3.0-rc2 | |
Asterisk | =10.3.0-rc3 | |
Asterisk | =10.3.1 | |
Asterisk | =10.4.0 | |
Asterisk | =10.4.0-rc1 | |
Asterisk | =10.4.0-rc2 | |
Asterisk | =10.4.0-rc3 | |
Asterisk | =10.4.1 | |
Asterisk | =10.4.2 | |
Asterisk | =10.5.0 | |
Asterisk | =10.5.0-rc1 | |
Asterisk | =10.5.0-rc2 | |
Asterisk | =10.5.1 | |
Asterisk | =10.5.2 | |
Asterisk | =10.6.0 | |
Asterisk | =10.6.0-rc1 | |
Asterisk | =10.6.0-rc2 | |
Asterisk | =10.6.1 | |
Asterisk | =10.7.0 | |
Asterisk | =10.7.0-rc1 | |
Asterisk | =10.7.1 | |
Asterisk | =10.8.0 | |
Asterisk | =10.8.0-rc1 | |
Asterisk | =10.8.0-rc2 | |
Asterisk | =10.9.0 | |
Asterisk | =10.9.0-rc1 | |
Asterisk | =10.9.0-rc2 | |
Asterisk | =10.9.0-rc3 | |
Asterisk | =10.10.0 | |
Asterisk | =10.10.0-rc1 | |
Asterisk | =10.10.0-rc2 | |
Asterisk | =10.10.1 | |
Asterisk | =10.11.0 | |
Asterisk | =10.11.0-rc1 | |
Asterisk | =10.11.0-rc3 | |
Asterisk | =10.11.1 | |
Asterisk | =10.12.0 | |
Asterisk | =10.12.0-rc1 | |
Asterisk | =10.12.0-rc2 | |
Asterisk | =10.12.1 | |
Asterisk | =11.0.0 | |
Asterisk | =11.0.0-beta1 | |
Asterisk | =11.0.0-beta2 | |
Asterisk | =11.0.0-rc1 | |
Asterisk | =11.0.0-rc2 | |
Asterisk | =11.0.1 | |
Asterisk | =11.0.2 | |
Asterisk | =11.1.0 | |
Asterisk | =11.1.0-rc1 | |
Asterisk | =11.1.0-rc3 | |
Asterisk | =11.1.1 | |
Asterisk | =11.1.2 | |
Asterisk | =11.2.0 | |
Asterisk | =11.2.0-rc1 | |
Asterisk | =11.2.0-rc2 | |
Asterisk | =11.2.1 | |
Asterisk | =1.8.15-cert1 | |
Asterisk | =1.8.15-cert1 | |
Asterisk | =1.8.15-cert1 | |
Asterisk | =1.8.15-cert1 | |
Asterisk | =1.8.15.0 | |
Asterisk | =1.8.15.0-rc1 | |
Digium Asterisk Digiumphones | =10.0.0 | |
Digium Asterisk Digiumphones | =10.0.0-beta1 | |
Digium Asterisk Digiumphones | =10.0.0-beta2 | |
Digium Asterisk Digiumphones | =10.0.0-rc1 | |
Digium Asterisk Digiumphones | =10.0.0-rc2 | |
Digium Asterisk Digiumphones | =10.0.0-rc3 | |
Digium Asterisk Digiumphones | =10.1.0 | |
Digium Asterisk Digiumphones | =10.1.0-rc1 | |
Digium Asterisk Digiumphones | =10.1.0-rc2 | |
Digium Asterisk Digiumphones | =10.2.0 | |
Digium Asterisk Digiumphones | =10.2.0-rc1 | |
Digium Asterisk Digiumphones | =10.2.0-rc2 | |
Digium Asterisk Digiumphones | =10.2.0-rc3 | |
Digium Asterisk Digiumphones | =10.2.0-rc4 | |
Digium Asterisk Digiumphones | =10.3.0 | |
Digium Asterisk Digiumphones | =10.3.0-rc2 | |
Digium Asterisk Digiumphones | =10.3.0-rc3 | |
Digium Asterisk Digiumphones | =10.4.0 | |
Digium Asterisk Digiumphones | =10.4.0-rc1 | |
Digium Asterisk Digiumphones | =10.4.0-rc2 | |
Digium Asterisk Digiumphones | =10.4.0-rc3 | |
Digium Asterisk Digiumphones | =10.5.0 | |
Digium Asterisk Digiumphones | =10.5.0-rc1 | |
Digium Asterisk Digiumphones | =10.5.0-rc2 | |
Digium Asterisk Digiumphones | =10.6.0 | |
Digium Asterisk Digiumphones | =10.6.0-rc1 | |
Digium Asterisk Digiumphones | =10.6.0-rc2 | |
Digium Asterisk Digiumphones | =10.7.0 | |
Digium Asterisk Digiumphones | =10.7.0-rc1 | |
Digium Asterisk Digiumphones | =10.8.0 | |
Digium Asterisk Digiumphones | =10.8.0-rc1 | |
Digium Asterisk Digiumphones | =10.8.0-rc2 | |
Digium Asterisk Digiumphones | =10.9.0-rc1 | |
Digium Asterisk Digiumphones | =10.10.0 | |
Digium Asterisk Digiumphones | =10.10.0-rc1 | |
Digium Asterisk Digiumphones | =10.10.0-rc2 | |
Digium Asterisk Digiumphones | =10.11.0 | |
Digium Asterisk Digiumphones | =10.11.0-rc1 | |
Digium Asterisk Digiumphones | =10.11.0-rc2 | |
Digium Asterisk Digiumphones | =10.11.0-rc3 | |
Digium Asterisk Digiumphones | =10.12.0 | |
Digium Asterisk Digiumphones | =10.12.0-rc1 | |
Digium Asterisk Digiumphones | =10.12.0-rc2 | |
Digium Asterisk Digiumphones | =10.12.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2013-2686 is classified as a moderate severity vulnerability.
To mitigate CVE-2013-2686, update Asterisk to version 1.8.20.2, 10.12.2, or 11.2.2 or later.
CVE-2013-2686 affects Asterisk Open Source versions 1.8.x before 1.8.20.2, 10.x before 10.12.2, and 11.x before 11.2.2.
Yes, CVE-2013-2686 can be exploited remotely, potentially allowing an attacker to send specially crafted HTTP requests.
The vulnerability may lead to unexpected behavior in the handling of HTTP requests, which could affect system availability.