CVE-2011-2536

Asterisk <1.4.41.2, <1.6.2.18.2, <1.8.4.4, <C.3.7.3 - Unauthenticated User Enumeration via SIP

Title source: llm
STIX 2.1

Description

chan_sip.c in the SIP channel driver in Asterisk Open Source 1.4.x before 1.4.41.2, 1.6.2.x before 1.6.2.18.2, and 1.8.x before 1.8.4.4, and Asterisk Business Edition C.3.x before C.3.7.3, disregards the alwaysauthreject option and generates different responses for invalid SIP requests depending on whether the user account exists, which allows remote attackers to enumerate account names via a series of requests.

References (3)

Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1025734

Scores

EPSS 0.0194
EPSS Percentile 77.8%

Details

CWE
CWE-200
Status published
Products (24)
digium/asterisk 1.8.0 (10 CPE variants)
digium/asterisk 1.8.1 (2 CPE variants)
digium/asterisk 1.8.1.1
digium/asterisk 1.8.1.2
digium/asterisk 1.8.2
digium/asterisk 1.8.2.1
digium/asterisk 1.8.2.2
digium/asterisk 1.8.2.3
digium/asterisk 1.8.2.4
digium/asterisk 1.8.3 (4 CPE variants)
... and 14 more
Published Jul 06, 2011
Tracked Since Feb 18, 2026