chan_sip.c in the SIP channel driver in Asterisk Open Source 1.4.x before 1.4.41.2, 1.6.2.x before 1.6.2.18.2, and 1.8.x before 1.8.4.4, and Asterisk Business Edition C.3.x before C.3.7.3, disregards the alwaysauthreject option and generates different responses for invalid SIP requests depending on whether the user account exists, which allows remote attackers to enumerate account names via a series of requests.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
Configuration 4 (hide)
|
History
21 Nov 2024, 01:28
Type | Values Removed | Values Added |
---|---|---|
References | () http://downloads.asterisk.org/pub/security/AST-2011-011-1.8.diff - Patch | |
References | () http://downloads.asterisk.org/pub/security/AST-2011-011.html - Vendor Advisory | |
References | () http://www.securitytracker.com/id?1025734 - |
Information
Published : 2011-07-06 19:55
Updated : 2024-11-21 01:28
NVD link : CVE-2011-2536
Mitre link : CVE-2011-2536
CVE.ORG link : CVE-2011-2536
JSON object : View
Products Affected
digium
- asterisk
CWE
CWE-200
Exposure of Sensitive Information to an Unauthorized Actor