{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-26498", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-03T05:03:32.984Z", "dateReserved": "2022-03-06T00:00:00", "datePublished": "2022-04-15T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-05-04T00:00:00"}, "descriptions": [{"lang": "en", "value": "An issue was discovered in Asterisk through 19.x. When using STIR/SHAKEN, it is possible to download files that are not certificates. These files could be much larger than what one would expect to download, leading to Resource Exhaustion. This is fixed in 16.25.2, 18.11.2, and 19.3.2."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://downloads.asterisk.org/pub/security/"}, {"url": "https://downloads.asterisk.org/pub/security/AST-2022-001.html"}, {"url": "http://packetstormsecurity.com/files/166744/Asterisk-Project-Security-Advisory-AST-2022-001.html"}, {"name": "[debian-lts-announce] 20221117 [SECURITY] [DLA 3194-1] asterisk security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html"}, {"name": "DSA-5285", "tags": ["vendor-advisory"], "url": "https://www.debian.org/security/2022/dsa-5285"}, {"url": "http://packetstormsecurity.com/files/172139/Shannon-Baseband-chatroom-SDP-Attribute-Memory-Corruption.html"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T05:03:32.984Z"}, "title": "CVE Program Container", "references": [{"url": "https://downloads.asterisk.org/pub/security/", "tags": ["x_transferred"]}, {"url": "https://downloads.asterisk.org/pub/security/AST-2022-001.html", "tags": ["x_transferred"]}, {"url": "http://packetstormsecurity.com/files/166744/Asterisk-Project-Security-Advisory-AST-2022-001.html", "tags": ["x_transferred"]}, {"name": "[debian-lts-announce] 20221117 [SECURITY] [DLA 3194-1] asterisk security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html"}, {"name": "DSA-5285", "tags": ["vendor-advisory", "x_transferred"], "url": "https://www.debian.org/security/2022/dsa-5285"}, {"url": "http://packetstormsecurity.com/files/172139/Shannon-Baseband-chatroom-SDP-Attribute-Memory-Corruption.html", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:digium:asterisk:*:*:*:*:*:*:*:*", "matchCriteriaId": "D8AB56FA-AEC6-4A6F-B420-DDBF3390379B", "versionEndIncluding": "16.25.1", "versionStartIncluding": "16.15.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:*:*:*:*:*:*:*:*", "matchCriteriaId": "496A20DA-23D7-435B-8EA9-3AC585DAAB72", "versionEndExcluding": "18.11.2", "versionStartIncluding": "18.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:digium:asterisk:*:*:*:*:*:*:*:*", "matchCriteriaId": "C25BFFCA-90FE-475D-88A7-3BC281B830AF", "versionEndIncluding": "19.3.1", "versionStartIncluding": "19.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Asterisk through 19.x. When using STIR/SHAKEN, it is possible to download files that are not certificates. These files could be much larger than what one would expect to download, leading to Resource Exhaustion. This is fixed in 16.25.2, 18.11.2, and 19.3.2."}, {"lang": "es", "value": "Se ha detectado un problema en Asterisk versiones hasta 19.x. Cuando es usado STIR/SHAKEN, es posible descargar archivos que no son certificados. Estos archivos pod\u00edan ser mucho m\u00e1s grandes de lo que se esperaba descargar, conllevando a un agotamiento de recursos. Esto ha sido corregido en versiones 16.25.2, 18.11.2 y 19.3.2"}], "id": "CVE-2022-26498", "lastModified": "2024-11-21T06:54:03.827", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-04-15T05:15:06.597", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/166744/Asterisk-Project-Security-Advisory-AST-2022-001.html"}, {"source": "cve@mitre.org", "url": "http://packetstormsecurity.com/files/172139/Shannon-Baseband-chatroom-SDP-Attribute-Memory-Corruption.html"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://downloads.asterisk.org/pub/security/"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://downloads.asterisk.org/pub/security/AST-2022-001.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2022/dsa-5285"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/166744/Asterisk-Project-Security-Advisory-AST-2022-001.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://packetstormsecurity.com/files/172139/Shannon-Baseband-chatroom-SDP-Attribute-Memory-Corruption.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://downloads.asterisk.org/pub/security/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://downloads.asterisk.org/pub/security/AST-2022-001.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2022/dsa-5285"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{}