The SIP over UDP implementation in Asterisk Open Source 1.4.x before 1.4.43, 1.6.x before 1.6.2.21, and 1.8.x before 1.8.7.2 uses different port numbers for responses to invalid requests depending on whether a SIP username exists, which allows remote attackers to enumerate usernames via a series of requests.
Metrics
No CVSS v4.0
No CVSS v3.1
No CVSS v3.0
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact Partial
Integrity Impact None
Availability Impact None
This CVE is not in the KEV list.
The EPSS score is 0.00685.
Key SSVC decision points have not yet been added.
Affected Vendors & Products
Vendors | Products |
---|---|
Digium |
|
Configuration 1 [-]
|
Configuration 2 [-]
|
Configuration 3 [-]
|
No data.
No data.
Advisories
Source | ID | Title |
---|---|---|
![]() |
DSA-2367-1 | asterisk security update |
![]() |
EUVD-2011-4521 | The SIP over UDP implementation in Asterisk Open Source 1.4.x before 1.4.43, 1.6.x before 1.6.2.21, and 1.8.x before 1.8.7.2 uses different port numbers for responses to invalid requests depending on whether a SIP username exists, which allows remote attackers to enumerate usernames via a series of requests. |
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
No history.

Status: PUBLISHED
Assigner: redhat
Published:
Updated: 2024-08-07T00:09:19.309Z
Reserved: 2011-11-29T00:00:00
Link: CVE-2011-4597

No data.

Status : Deferred
Published: 2011-12-15T03:57:34.310
Modified: 2025-04-11T00:51:21.963
Link: CVE-2011-4597

No data.

No data.