CVE-2017-14098

critical-risk

Published 2017-09-02

In the pjsip channel driver (res_pjsip) in Asterisk 13.x before 13.17.1 and 14.x before 14.6.1, a carefully crafted tel URI in a From, To, or Contact header could cause Asterisk to crash.

Do I need to act?

40.1% chance of exploitation in next 30 days

EPSS score — higher than 60% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (20)

Asterisk

Affected Vendors

Digium

References (10)

Patch http://downloads.asterisk.org/pub/security/AST-2017-007.html

Third Party Advisory http://www.securityfocus.com/bid/100583

Third Party Advisory http://www.securitytracker.com/id/1039253

Issue Tracking https://bugs.debian.org/873909

Issue Tracking https://issues.asterisk.org/jira/browse/ASTERISK-27152

Patch http://downloads.asterisk.org/pub/security/AST-2017-007.html

Third Party Advisory http://www.securityfocus.com/bid/100583

Third Party Advisory http://www.securitytracker.com/id/1039253

Issue Tracking https://bugs.debian.org/873909

Issue Tracking https://issues.asterisk.org/jira/browse/ASTERISK-27152

/ 100

critical-risk

Severity 26/34 · High

Exploitability 17/34 · Moderate

Exposure 29/34 · Critical