What is the vulnerability ID for this issue in Asterisk?

The vulnerability ID for this issue in Asterisk is CVE-2017-17850.

What is the severity level of CVE-2017-17850?

The severity level of CVE-2017-17850 is high, with a severity value of 7.5.

What is the affected software version ranges for CVE-2017-17850?

The affected software version ranges for CVE-2017-17850 are as follows: 13.0.0 to 13.18.4, 14.0.0 to 14.7.4, 15.0.0 to 15.1.4, 13.1.0, 13.1.0-rc1, 13.1.0-rc2, and 13.8-cert1.

What is the description of CVE-2017-17850?

CVE-2017-17850 is a vulnerability in Asterisk versions 13.18.4 and older, 14.7.4 and older, 15.1.4 and older, and 13.18-cert1 and older, where certain SIP messages without a contact header can create a dialog in Asterisk.

Are there any references related to CVE-2017-17850?

Yes, there are references related to CVE-2017-17850. They can be found at the following links: [AST-2017-014](http://downloads.asterisk.org/pub/security/AST-2017-014.html), [SecurityTracker](http://www.securitytracker.com/id/1040056), and [ASTERISK-27480](https://issues.asterisk.org/jira/browse/ASTERISK-27480).

Vulnerability/
CVE-2017-17850

high

7.5

CWE

23/12/2017

5/8/2024

CVE-2017-17850: Input Validation

First published: Sat Dec 23 2017(Updated: )

An issue was discovered in Asterisk 13.18.4 and older, 14.7.4 and older, 15.1.4 and older, and 13.18-cert1 and older. A select set of SIP messages create a dialog in Asterisk. Those SIP messages must contain a contact header. For those messages, if the header was not present and the PJSIP channel driver was used, Asterisk would crash. The severity of this vulnerability is somewhat mitigated if authentication is enabled. If authentication is enabled, a user would have to first be authorized before reaching the crash point.

Credit: cve@mitre.org

Affected Software	Affected Version	How to fix
Digium Asterisk	>=13.0.0<=13.18.4
Digium Asterisk	>=14.0.0<=14.7.4
Digium Asterisk	>=15.0.0<=15.1.4
Digium Certified Asterisk	=13.1.0
Digium Certified Asterisk	=13.1.0-rc1
Digium Certified Asterisk	=13.1.0-rc2
Digium Certified Asterisk	=13.8-cert1

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the vulnerability ID for this issue in Asterisk?
The vulnerability ID for this issue in Asterisk is CVE-2017-17850.
What is the severity level of CVE-2017-17850?
The severity level of CVE-2017-17850 is high, with a severity value of 7.5.
What is the affected software version ranges for CVE-2017-17850?
The affected software version ranges for CVE-2017-17850 are as follows: 13.0.0 to 13.18.4, 14.0.0 to 14.7.4, 15.0.0 to 15.1.4, 13.1.0, 13.1.0-rc1, 13.1.0-rc2, and 13.8-cert1.
What is the description of CVE-2017-17850?
CVE-2017-17850 is a vulnerability in Asterisk versions 13.18.4 and older, 14.7.4 and older, 15.1.4 and older, and 13.18-cert1 and older, where certain SIP messages without a contact header can create a dialog in Asterisk.
Are there any references related to CVE-2017-17850?
Yes, there are references related to CVE-2017-17850. They can be found at the following links: [AST-2017-014](http://downloads.asterisk.org/pub/security/AST-2017-014.html), [SecurityTracker](http://www.securitytracker.com/id/1040056), and [ASTERISK-27480](https://issues.asterisk.org/jira/browse/ASTERISK-27480).

collector/nvd-index
agent/author
agent/severity
agent/weakness
agent/references
agent/type
agent/event
agent/description
agent/last-modified-date
agent/softwarecombine
agent/first-publish-date
agent/tags
collector/mitre-cve
source/MITRE
vendor/digium
canonical/digium asterisk
version/digium asterisk/13.0.0
version/digium asterisk/13.18.4
version/digium asterisk/14.0.0
version/digium asterisk/14.7.4
version/digium asterisk/15.0.0
version/digium asterisk/15.1.4
canonical/digium certified asterisk
version/digium certified asterisk/13.1.0
version/digium certified asterisk/13.1.0-rc1
version/digium certified asterisk/13.1.0-rc2
version/digium certified asterisk/13.8-cert1