CVE-2017-16672
MEDIUMAsterisk Open Source <13.18.1,14.7.1,15.1.1 - Memory Corruption
Title source: llmDescription
An issue was discovered in Asterisk Open Source 13 before 13.18.1, 14 before 14.7.1, and 15 before 15.1.1 and Certified Asterisk 13.13 before 13.13-cert7. A memory leak occurs when an Asterisk pjsip session object is created and that call gets rejected before the session itself is fully established. When this happens the session object never gets destroyed. Eventually Asterisk can run out of memory and crash.
References (5)
Core 5
Core References
Vendor Advisory x_refsource_confirm
http://downloads.digium.com/pub/security/AST-2017-011.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/101765
Vendor Advisory x_refsource_confirm
https://issues.asterisk.org/jira/browse/ASTERISK-27345
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/201811-11
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2017/dsa-4076
Scores
CVSS v3
5.9
EPSS
0.0468
EPSS Percentile
90.6%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-772
Status
published
Products (2)
digium/asterisk
13.0.0 - 13.18.1
digium/certified_asterisk
13.13.0 (11 CPE variants)
Published
Nov 09, 2017
Tracked Since
Feb 18, 2026