Search

Find a vulnerability

Search criteria

    215 vulnerabilities by asterisk

    CERTFR-2026-AVI-0805

    Vulnerability from certfr_avis - Published: 2026-06-26 - Updated: 2026-06-26

    De multiples vulnérabilités ont été découvertes dans Asterisk. Certaines d'entre elles permettent à un attaquant de provoquer un déni de service à distance, une atteinte à l'intégrité des données et un contournement de la politique de sécurité.

    Solutions

    Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

    Impacted products
    Vendor Product Description
    Asterisk Asterisk Asterisk versions 20.x antérieures à 20.20.1
    Asterisk Certified Asterisk Certified Asterisk versions 22.x antérieures à 22.8-cert3
    Asterisk Asterisk Asterisk versions 23.x antérieures à 23.4.1
    Asterisk Asterisk Asterisk versions 22.x antérieures à 22.10.1
    Asterisk Asterisk Asterisk versions 21.x antérieures à 21.12.3
    Asterisk Certified Asterisk Certified Asterisk versions 20.x antérieures à 20.7-cert11
    References

    Show details on source website

    {
      "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
      "affected_systems": [
        {
          "description": "Asterisk versions 20.x ant\u00e9rieures \u00e0 20.20.1",
          "product": {
            "name": "Asterisk",
            "vendor": {
              "name": "Asterisk",
              "scada": false
            }
          }
        },
        {
          "description": "Certified Asterisk versions 22.x ant\u00e9rieures \u00e0 22.8-cert3",
          "product": {
            "name": "Certified Asterisk",
            "vendor": {
              "name": "Asterisk",
              "scada": false
            }
          }
        },
        {
          "description": "Asterisk versions 23.x ant\u00e9rieures \u00e0 23.4.1",
          "product": {
            "name": "Asterisk",
            "vendor": {
              "name": "Asterisk",
              "scada": false
            }
          }
        },
        {
          "description": "Asterisk versions 22.x ant\u00e9rieures \u00e0 22.10.1",
          "product": {
            "name": "Asterisk",
            "vendor": {
              "name": "Asterisk",
              "scada": false
            }
          }
        },
        {
          "description": "Asterisk versions 21.x ant\u00e9rieures \u00e0 21.12.3",
          "product": {
            "name": "Asterisk",
            "vendor": {
              "name": "Asterisk",
              "scada": false
            }
          }
        },
        {
          "description": "Certified Asterisk versions 20.x ant\u00e9rieures \u00e0 20.7-cert11",
          "product": {
            "name": "Certified Asterisk",
            "vendor": {
              "name": "Asterisk",
              "scada": false
            }
          }
        }
      ],
      "affected_systems_content": "",
      "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
      "cves": [
        {
          "name": "CVE-2026-57200",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-57200"
        },
        {
          "name": "CVE-2026-57184",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-57184"
        },
        {
          "name": "CVE-2026-57202",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-57202"
        },
        {
          "name": "CVE-2026-57187",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-57187"
        },
        {
          "name": "CVE-2026-57186",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-57186"
        },
        {
          "name": "CVE-2026-57194",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-57194"
        }
      ],
      "initial_release_date": "2026-06-26T00:00:00",
      "last_revision_date": "2026-06-26T00:00:00",
      "links": [],
      "reference": "CERTFR-2026-AVI-0805",
      "revisions": [
        {
          "description": "Version initiale",
          "revision_date": "2026-06-26T00:00:00.000000"
        }
      ],
      "risks": [
        {
          "description": "D\u00e9ni de service \u00e0 distance"
        },
        {
          "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
        },
        {
          "description": "Contournement de la politique de s\u00e9curit\u00e9"
        }
      ],
      "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Asterisk. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer un d\u00e9ni de service \u00e0 distance, une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es et un contournement de la politique de s\u00e9curit\u00e9.",
      "title": "Multiples vuln\u00e9rabilit\u00e9s dans Asterisk",
      "vendor_advisories": [
        {
          "published_at": "2026-06-25",
          "title": "Bulletin de s\u00e9curit\u00e9 Asterisk GHSA-3g56-cgrh-95p5",
          "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-3g56-cgrh-95p5"
        },
        {
          "published_at": "2026-06-25",
          "title": "Bulletin de s\u00e9curit\u00e9 Asterisk GHSA-g8q2-p36q-94f6",
          "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-g8q2-p36q-94f6"
        },
        {
          "published_at": "2026-06-25",
          "title": "Bulletin de s\u00e9curit\u00e9 Asterisk GHSA-h5hv-jmgj-92q2",
          "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-h5hv-jmgj-92q2"
        },
        {
          "published_at": "2026-06-25",
          "title": "Bulletin de s\u00e9curit\u00e9 Asterisk GHSA-wcvv-g26m-wx5c",
          "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-wcvv-g26m-wx5c"
        },
        {
          "published_at": "2026-06-25",
          "title": "Bulletin de s\u00e9curit\u00e9 Asterisk GHSA-746q-794h-cc7f",
          "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-746q-794h-cc7f"
        },
        {
          "published_at": "2026-06-25",
          "title": "Bulletin de s\u00e9curit\u00e9 Asterisk GHSA-vrfp-mg3q-3959",
          "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-vrfp-mg3q-3959"
        }
      ]
    }

    CERTFR-2026-AVI-0538

    Vulnerability from certfr_avis - Published: 2026-05-06 - Updated: 2026-05-06

    De multiples vulnérabilités ont été découvertes dans Asterisk. Elles permettent à un attaquant de provoquer un déni de service à distance.

    Solutions

    Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

    Impacted products
    Vendor Product Description
    Asterisk Asterisk asterisk versions 22.8.x antérieures à 22.9.0
    Asterisk Asterisk asterisk versions 23.2.x antérieures à 23.3.0
    Asterisk Asterisk certified-asterisk versions 20.x antérieures à 20.7-cert10
    Asterisk Asterisk asterisk versions 20.18.x antérieures à 20.19.0
    Asterisk Asterisk asterisk versions 21.12.x antérieures à 21.12.2
    Asterisk Asterisk certified-asterisk versions 22.x antérieures à 22.8-cert2
    References

    Show details on source website

    {
      "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
      "affected_systems": [
        {
          "description": "asterisk versions 22.8.x ant\u00e9rieures \u00e0 22.9.0",
          "product": {
            "name": "Asterisk",
            "vendor": {
              "name": "Asterisk",
              "scada": false
            }
          }
        },
        {
          "description": "asterisk versions 23.2.x ant\u00e9rieures \u00e0 23.3.0",
          "product": {
            "name": "Asterisk",
            "vendor": {
              "name": "Asterisk",
              "scada": false
            }
          }
        },
        {
          "description": "certified-asterisk versions 20.x ant\u00e9rieures \u00e0 20.7-cert10",
          "product": {
            "name": "Asterisk",
            "vendor": {
              "name": "Asterisk",
              "scada": false
            }
          }
        },
        {
          "description": "asterisk versions 20.18.x ant\u00e9rieures \u00e0 20.19.0",
          "product": {
            "name": "Asterisk",
            "vendor": {
              "name": "Asterisk",
              "scada": false
            }
          }
        },
        {
          "description": "asterisk versions 21.12.x ant\u00e9rieures \u00e0 21.12.2",
          "product": {
            "name": "Asterisk",
            "vendor": {
              "name": "Asterisk",
              "scada": false
            }
          }
        },
        {
          "description": "certified-asterisk versions 22.x ant\u00e9rieures \u00e0 22.8-cert2",
          "product": {
            "name": "Asterisk",
            "vendor": {
              "name": "Asterisk",
              "scada": false
            }
          }
        }
      ],
      "affected_systems_content": "",
      "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
      "cves": [
        {
          "name": "CVE-2026-32942",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-32942"
        },
        {
          "name": "CVE-2026-28799",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-28799"
        },
        {
          "name": "CVE-2026-25994",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-25994"
        },
        {
          "name": "CVE-2026-33069",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-33069"
        }
      ],
      "initial_release_date": "2026-05-06T00:00:00",
      "last_revision_date": "2026-05-06T00:00:00",
      "links": [],
      "reference": "CERTFR-2026-AVI-0538",
      "revisions": [
        {
          "description": "Version initiale",
          "revision_date": "2026-05-06T00:00:00.000000"
        }
      ],
      "risks": [
        {
          "description": "D\u00e9ni de service \u00e0 distance"
        }
      ],
      "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Asterisk. Elles permettent \u00e0 un attaquant de provoquer un d\u00e9ni de service \u00e0 distance.",
      "title": "Multiples vuln\u00e9rabilit\u00e9s dans Asterisk",
      "vendor_advisories": [
        {
          "published_at": "2026-05-05",
          "title": "Bulletin de s\u00e9curit\u00e9 Asterisk GHSA-x2f3-ccvh-2rr2",
          "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-x2f3-ccvh-2rr2"
        },
        {
          "published_at": "2026-05-05",
          "title": "Bulletin de s\u00e9curit\u00e9 Asterisk GHSA-x6qg-jfj6-6f93",
          "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-x6qg-jfj6-6f93"
        },
        {
          "published_at": "2026-05-05",
          "title": "Bulletin de s\u00e9curit\u00e9 Asterisk GHSA-f948-v379-526c",
          "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-f948-v379-526c"
        },
        {
          "published_at": "2026-05-05",
          "title": "Bulletin de s\u00e9curit\u00e9 Asterisk GHSA-rrfc-6662-c6hm",
          "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-rrfc-6662-c6hm"
        }
      ]
    }

    CERTFR-2026-AVI-0123

    Vulnerability from certfr_avis - Published: 2026-02-06 - Updated: 2026-02-06

    De multiples vulnérabilités ont été découvertes dans Asterisk. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une élévation de privilèges et une atteinte à la confidentialité des données.

    Solutions

    Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

    Impacted products
    Vendor Product Description
    Asterisk Asterisk Asterisk versions 21.12.x antérieures à 21.12.1
    Asterisk Asterisk Asterisk versions 22.8.x antérieures à 22.8.2
    Asterisk Asterisk Asterisk versions 20.18.x antérieures à 20.18.2
    Asterisk Asterisk Asterisk versions 23.2.x antérieures à 23.2.2
    Asterisk Asterisk Asterisk versions antérieures à 20.7-cert9
    References

    Show details on source website

    {
      "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
      "affected_systems": [
        {
          "description": "Asterisk versions 21.12.x ant\u00e9rieures \u00e0 21.12.1",
          "product": {
            "name": "Asterisk",
            "vendor": {
              "name": "Asterisk",
              "scada": false
            }
          }
        },
        {
          "description": "Asterisk versions 22.8.x ant\u00e9rieures \u00e0 22.8.2",
          "product": {
            "name": "Asterisk",
            "vendor": {
              "name": "Asterisk",
              "scada": false
            }
          }
        },
        {
          "description": "Asterisk versions 20.18.x ant\u00e9rieures \u00e0 20.18.2",
          "product": {
            "name": "Asterisk",
            "vendor": {
              "name": "Asterisk",
              "scada": false
            }
          }
        },
        {
          "description": "Asterisk versions 23.2.x ant\u00e9rieures \u00e0 23.2.2",
          "product": {
            "name": "Asterisk",
            "vendor": {
              "name": "Asterisk",
              "scada": false
            }
          }
        },
        {
          "description": "Asterisk versions ant\u00e9rieures \u00e0 20.7-cert9",
          "product": {
            "name": "Asterisk",
            "vendor": {
              "name": "Asterisk",
              "scada": false
            }
          }
        }
      ],
      "affected_systems_content": "",
      "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
      "cves": [
        {
          "name": "CVE-2026-23738",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-23738"
        },
        {
          "name": "CVE-2026-23741",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-23741"
        },
        {
          "name": "CVE-2026-23740",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-23740"
        },
        {
          "name": "CVE-2026-23739",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-23739"
        }
      ],
      "initial_release_date": "2026-02-06T00:00:00",
      "last_revision_date": "2026-02-06T00:00:00",
      "links": [],
      "reference": "CERTFR-2026-AVI-0123",
      "revisions": [
        {
          "description": "Version initiale",
          "revision_date": "2026-02-06T00:00:00.000000"
        }
      ],
      "risks": [
        {
          "description": "Injection de code indirecte \u00e0 distance (XSS)"
        },
        {
          "description": "Injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF)"
        },
        {
          "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
        },
        {
          "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
        },
        {
          "description": "\u00c9l\u00e9vation de privil\u00e8ges"
        }
      ],
      "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Asterisk. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une \u00e9l\u00e9vation de privil\u00e8ges et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.",
      "title": "Multiples vuln\u00e9rabilit\u00e9s dans Asterisk",
      "vendor_advisories": [
        {
          "published_at": "2026-02-05",
          "title": "Bulletin de s\u00e9curit\u00e9 Asterisk GHSA-v6hp-wh3r-cwxh",
          "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-v6hp-wh3r-cwxh"
        },
        {
          "published_at": "2026-02-05",
          "title": "Bulletin de s\u00e9curit\u00e9 Asterisk GHSA-xpc6-x892-v83c",
          "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-xpc6-x892-v83c"
        },
        {
          "published_at": "2026-02-05",
          "title": "Bulletin de s\u00e9curit\u00e9 Asterisk GHSA-rvch-3jmx-3jf3",
          "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-rvch-3jmx-3jf3"
        },
        {
          "published_at": "2026-02-05",
          "title": "Bulletin de s\u00e9curit\u00e9 Asterisk GHSA-85x7-54wr-vh42",
          "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-85x7-54wr-vh42"
        }
      ]
    }

    CERTFR-2025-AVI-0739

    Vulnerability from certfr_avis - Published: 2025-08-29 - Updated: 2025-08-29

    De multiples vulnérabilités ont été découvertes dans Asterisk. Elles permettent à un attaquant de provoquer un déni de service à distance.

    Solutions

    Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

    Impacted products
    Vendor Product Description
    Asterisk Asterisk asterisk versions 20.15.x antérieures à 20.15.2
    Asterisk Asterisk asterisk versions 22.5.x antérieures à 22.5.2
    Asterisk Asterisk asterisk versions 18.26.x antérieures à 18.26.4
    Asterisk Asterisk asterisk versions 21.10.x antérieures à 21.10.2
    Asterisk Asterisk asterisk versions 18.9-cert1x antérieures à 18.9-cert17
    References

    Show details on source website

    {
      "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
      "affected_systems": [
        {
          "description": "asterisk versions 20.15.x ant\u00e9rieures \u00e0 20.15.2",
          "product": {
            "name": "Asterisk",
            "vendor": {
              "name": "Asterisk",
              "scada": false
            }
          }
        },
        {
          "description": "asterisk versions 22.5.x ant\u00e9rieures \u00e0 22.5.2",
          "product": {
            "name": "Asterisk",
            "vendor": {
              "name": "Asterisk",
              "scada": false
            }
          }
        },
        {
          "description": "asterisk versions 18.26.x ant\u00e9rieures \u00e0 18.26.4",
          "product": {
            "name": "Asterisk",
            "vendor": {
              "name": "Asterisk",
              "scada": false
            }
          }
        },
        {
          "description": "asterisk versions 21.10.x ant\u00e9rieures \u00e0 21.10.2",
          "product": {
            "name": "Asterisk",
            "vendor": {
              "name": "Asterisk",
              "scada": false
            }
          }
        },
        {
          "description": "asterisk versions 18.9-cert1x ant\u00e9rieures \u00e0 18.9-cert17",
          "product": {
            "name": "Asterisk",
            "vendor": {
              "name": "Asterisk",
              "scada": false
            }
          }
        }
      ],
      "affected_systems_content": "",
      "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
      "cves": [
        {
          "name": "CVE-2025-57767",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-57767"
        },
        {
          "name": "CVE-2025-54995",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-54995"
        }
      ],
      "initial_release_date": "2025-08-29T00:00:00",
      "last_revision_date": "2025-08-29T00:00:00",
      "links": [],
      "reference": "CERTFR-2025-AVI-0739",
      "revisions": [
        {
          "description": "Version initiale",
          "revision_date": "2025-08-29T00:00:00.000000"
        }
      ],
      "risks": [
        {
          "description": "D\u00e9ni de service \u00e0 distance"
        }
      ],
      "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Asterisk. Elles permettent \u00e0 un attaquant de provoquer un d\u00e9ni de service \u00e0 distance.",
      "title": "Multiples vuln\u00e9rabilit\u00e9s dans Asterisk",
      "vendor_advisories": [
        {
          "published_at": "2025-08-28",
          "title": "Bulletin de s\u00e9curit\u00e9 Asterisk GHSA-64qc-9x89-rx5j",
          "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-64qc-9x89-rx5j"
        },
        {
          "published_at": "2025-08-28",
          "title": "Bulletin de s\u00e9curit\u00e9 Asterisk GHSA-557q-795j-wfx2",
          "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-557q-795j-wfx2"
        }
      ]
    }

    CERTFR-2025-AVI-0645

    Vulnerability from certfr_avis - Published: 2025-08-01 - Updated: 2025-08-01

    De multiples vulnérabilités ont été découvertes dans Asterisk. Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une élévation de privilèges et un déni de service à distance.

    Solutions

    Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

    Impacted products
    Vendor Product Description
    Asterisk Asterisk asterisk versions 20.15.x antérieures à 20.15.1
    Asterisk Asterisk asterisk versions antérieures à 20.7-cert7
    Asterisk Asterisk asterisk versions 18.26.x antérieures à 18.26.3
    Asterisk Asterisk asterisk versions 21.10.x antérieures à 21.10.1
    Asterisk Asterisk asterisk versions 22.5.x antérieures à 22.5.1
    References

    Show details on source website

    {
      "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
      "affected_systems": [
        {
          "description": "asterisk versions 20.15.x ant\u00e9rieures \u00e0 20.15.1",
          "product": {
            "name": "Asterisk",
            "vendor": {
              "name": "Asterisk",
              "scada": false
            }
          }
        },
        {
          "description": "asterisk versions ant\u00e9rieures \u00e0 20.7-cert7",
          "product": {
            "name": "Asterisk",
            "vendor": {
              "name": "Asterisk",
              "scada": false
            }
          }
        },
        {
          "description": "asterisk versions 18.26.x ant\u00e9rieures \u00e0 18.26.3",
          "product": {
            "name": "Asterisk",
            "vendor": {
              "name": "Asterisk",
              "scada": false
            }
          }
        },
        {
          "description": "asterisk versions 21.10.x ant\u00e9rieures \u00e0 21.10.1",
          "product": {
            "name": "Asterisk",
            "vendor": {
              "name": "Asterisk",
              "scada": false
            }
          }
        },
        {
          "description": "asterisk versions 22.5.x ant\u00e9rieures \u00e0 22.5.1",
          "product": {
            "name": "Asterisk",
            "vendor": {
              "name": "Asterisk",
              "scada": false
            }
          }
        }
      ],
      "affected_systems_content": "",
      "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
      "cves": [
        {
          "name": "CVE-2025-49832",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-49832"
        },
        {
          "name": "CVE-2025-1131",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-1131"
        }
      ],
      "initial_release_date": "2025-08-01T00:00:00",
      "last_revision_date": "2025-08-01T00:00:00",
      "links": [],
      "reference": "CERTFR-2025-AVI-0645",
      "revisions": [
        {
          "description": "Version initiale",
          "revision_date": "2025-08-01T00:00:00.000000"
        }
      ],
      "risks": [
        {
          "description": "D\u00e9ni de service \u00e0 distance"
        },
        {
          "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
        },
        {
          "description": "\u00c9l\u00e9vation de privil\u00e8ges"
        }
      ],
      "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Asterisk. Elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une \u00e9l\u00e9vation de privil\u00e8ges et un d\u00e9ni de service \u00e0 distance.",
      "title": "Multiples vuln\u00e9rabilit\u00e9s dans Asterisk",
      "vendor_advisories": [
        {
          "published_at": "2025-07-31",
          "title": "Bulletin de s\u00e9curit\u00e9 Asterisk GHSA-v9q8-9j8m-5xwp",
          "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-v9q8-9j8m-5xwp"
        },
        {
          "published_at": "2025-07-31",
          "title": "Bulletin de s\u00e9curit\u00e9 Asterisk GHSA-mrq5-74j5-f5cr",
          "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-mrq5-74j5-f5cr"
        }
      ]
    }

    CERTFR-2025-AVI-0446

    Vulnerability from certfr_avis - Published: 2025-05-23 - Updated: 2025-05-23

    De multiples vulnérabilités ont été découvertes dans Asterisk. Elles permettent à un attaquant de provoquer un contournement de la politique de sécurité.

    Solutions

    Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

    Impacted products
    Vendor Product Description
    Asterisk Asterisk asterisk versions 18.26.x antérieures à 18.26.2
    Asterisk Asterisk asterisk versions 21.9.x antérieures à 21.9.1
    Asterisk Asterisk asterisk versions 20.7-certx antérieures à 20.7-cert5
    Asterisk Asterisk asterisk versions 20.14.x antérieures à 20.14.1
    Asterisk Asterisk asterisk versions 22.4.x antérieures à 22.4.1
    Asterisk Asterisk asterisk versions 18.9-certx antérieures à 18.9-cert14
    References

    Show details on source website

    {
      "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
      "affected_systems": [
        {
          "description": "asterisk versions 18.26.x ant\u00e9rieures \u00e0 18.26.2",
          "product": {
            "name": "Asterisk",
            "vendor": {
              "name": "Asterisk",
              "scada": false
            }
          }
        },
        {
          "description": "asterisk versions 21.9.x ant\u00e9rieures \u00e0 21.9.1",
          "product": {
            "name": "Asterisk",
            "vendor": {
              "name": "Asterisk",
              "scada": false
            }
          }
        },
        {
          "description": "asterisk versions 20.7-certx ant\u00e9rieures \u00e0 20.7-cert5",
          "product": {
            "name": "Asterisk",
            "vendor": {
              "name": "Asterisk",
              "scada": false
            }
          }
        },
        {
          "description": "asterisk versions 20.14.x ant\u00e9rieures \u00e0 20.14.1",
          "product": {
            "name": "Asterisk",
            "vendor": {
              "name": "Asterisk",
              "scada": false
            }
          }
        },
        {
          "description": "asterisk versions 22.4.x ant\u00e9rieures \u00e0 22.4.1",
          "product": {
            "name": "Asterisk",
            "vendor": {
              "name": "Asterisk",
              "scada": false
            }
          }
        },
        {
          "description": "asterisk versions 18.9-certx ant\u00e9rieures \u00e0 18.9-cert14",
          "product": {
            "name": "Asterisk",
            "vendor": {
              "name": "Asterisk",
              "scada": false
            }
          }
        }
      ],
      "affected_systems_content": "",
      "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
      "cves": [
        {
          "name": "CVE-2025-47780",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-47780"
        },
        {
          "name": "CVE-2025-47779",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-47779"
        }
      ],
      "initial_release_date": "2025-05-23T00:00:00",
      "last_revision_date": "2025-05-23T00:00:00",
      "links": [],
      "reference": "CERTFR-2025-AVI-0446",
      "revisions": [
        {
          "description": "Version initiale",
          "revision_date": "2025-05-23T00:00:00.000000"
        }
      ],
      "risks": [
        {
          "description": "Contournement de la politique de s\u00e9curit\u00e9"
        }
      ],
      "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Asterisk. Elles permettent \u00e0 un attaquant de provoquer un contournement de la politique de s\u00e9curit\u00e9.",
      "title": "Multiples vuln\u00e9rabilit\u00e9s dans Asterisk",
      "vendor_advisories": [
        {
          "published_at": "2025-05-22",
          "title": "Bulletin de s\u00e9curit\u00e9 Asterisk GHSA-c7p6-7mvq-8jq2",
          "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-c7p6-7mvq-8jq2"
        },
        {
          "published_at": "2025-05-22",
          "title": "Bulletin de s\u00e9curit\u00e9 Asterisk GHSA-2grh-7mhv-fcfw",
          "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-2grh-7mhv-fcfw"
        }
      ]
    }

    VAR-201410-1418

    Vulnerability from variot - Updated: 2026-04-10 23:34

    The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue. OpenSSL is prone to an information disclosure vulnerability. An attacker can exploit this issue to perform man-in-the-middle attacks and obtain sensitive information. Successful exploits will lead to other attacks. The following versions are vulnerable: OpenSSL 0.9.8 prior to 0.9.8zc OpenSSL 1.0.0 prior to 1.0.0o OpenSSL 1.0.1 prior to 1.0.1j. SSL protocol is the abbreviation of Secure Socket Layer protocol (Secure Socket Layer) developed by Netscape, which provides security and data integrity guarantee for Internet communication. The vulnerability is caused by the program's use of non-deterministic CBC padding. OpenSSL Security Advisory [15 Oct 2014] =======================================

    SRTP Memory Leak (CVE-2014-3513)

    Severity: High

    A flaw in the DTLS SRTP extension parsing code allows an attacker, who sends a carefully crafted handshake message, to cause OpenSSL to fail to free up to 64k of memory causing a memory leak. This could be exploited in a Denial Of Service attack. This issue affects OpenSSL 1.0.1 server implementations for both SSL/TLS and DTLS regardless of whether SRTP is used or configured. Implementations of OpenSSL that have been compiled with OPENSSL_NO_SRTP defined are not affected.

    This issue was reported to OpenSSL on 26th September 2014, based on an original issue and patch developed by the LibreSSL project. Further analysis of the issue was performed by the OpenSSL team.

    The fix was developed by the OpenSSL team.

    Session Ticket Memory Leak (CVE-2014-3567)

    Severity: Medium

    When an OpenSSL SSL/TLS/DTLS server receives a session ticket the integrity of that ticket is first verified. In the event of a session ticket integrity check failing, OpenSSL will fail to free memory causing a memory leak. By sending a large number of invalid session tickets an attacker could exploit this issue in a Denial Of Service attack.

    This issue was reported to OpenSSL on 8th October 2014.

    The fix was developed by Stephen Henson of the OpenSSL core team.

    SSL 3.0 Fallback protection

    Severity: Medium

    OpenSSL has added support for TLS_FALLBACK_SCSV to allow applications to block the ability for a MITM attacker to force a protocol downgrade.

    Some client applications (such as browsers) will reconnect using a downgraded protocol to work around interoperability bugs in older servers. This could be exploited by an active man-in-the-middle to downgrade connections to SSL 3.0 even if both sides of the connection support higher protocols. SSL 3.0 contains a number of weaknesses including POODLE (CVE-2014-3566).

    https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00 https://www.openssl.org/~bodo/ssl-poodle.pdf

    Support for TLS_FALLBACK_SCSV was developed by Adam Langley and Bodo Moeller.

    Build option no-ssl3 is incomplete (CVE-2014-3568)

    Severity: Low

    When OpenSSL is configured with "no-ssl3" as a build option, servers could accept and complete a SSL 3.0 handshake, and clients could be configured to send them.

    This issue was reported to OpenSSL by Akamai Technologies on 14th October 2014.

    The fix was developed by Akamai and the OpenSSL team.

    References

    URL for this Security Advisory: https://www.openssl.org/news/secadv_20141015.txt

    Note: the online version of the advisory may be updated with additional details over time.

    For details of OpenSSL severity classifications please see: https://www.openssl.org/about/secpolicy.html

    . The following firmware versions of Virtual Connect (VC) are impacted:

    HPE BladeSystem c-Class Virtual Connect (VC) Firmware 4.30 through VC 4.45 HPE BladeSystem c-Class Virtual Connect (VC) Firmware 3.62 through VC 4.21

    Note: Firmware versions 3.62 through 4.21 are not impacted by CVE-2016-0800, CVE-2015-3194, CVE-2014-3566, CVE-2015-0705, CVE-2016-0799, and CVE-2016-2842. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201507-14


                                           https://security.gentoo.org/
    

    Severity: Normal Title: Oracle JRE/JDK: Multiple vulnerabilities Date: July 10, 2015 Bugs: #537214 ID: 201507-14


    Synopsis

    Multiple vulnerabilities have been found in Oracle JRE/JDK, allowing both local and remote attackers to compromise various Java components. Please review the CVE identifiers referenced below for details.

    Impact

    An context-dependent attacker may be able to influence the confidentiality, integrity, and availability of Java applications/runtime.

    Workaround

    There is no workaround at this time.

    Resolution

    All Oracle JRE 8 users should upgrade to the latest stable version:

    emerge --sync

    emerge --ask --oneshot --verbose ">=dev-java/oracle-jre-bin-1.8.0.31

    All Oracle JDK 8 users should upgrade to the latest stable version:

    emerge --sync

    emerge --ask --oneshot --verbose ">=dev-java/oracle-jdk-bin-1.8.0.31

    All Oracle JRE 7 users should upgrade to the latest version:

    emerge --sync

    emerge --ask --oneshot --verbose ">=dev-java/oracle-jre-bin-1.7.0.76

    All Oracle JDK 7 users should upgrade to the latest stable version:

    emerge --sync

    emerge --ask --oneshot --verbose ">=dev-java/oracle-jdk-bin-1.7.0.76

    References

    [ 1 ] CVE-2014-3566 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3566 [ 2 ] CVE-2014-6549 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6549 [ 3 ] CVE-2014-6585 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6585 [ 4 ] CVE-2014-6587 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6587 [ 5 ] CVE-2014-6591 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6591 [ 6 ] CVE-2014-6593 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6593 [ 7 ] CVE-2014-6601 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6601 [ 8 ] CVE-2015-0383 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0383 [ 9 ] CVE-2015-0395 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0395 [ 10 ] CVE-2015-0400 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0400 [ 11 ] CVE-2015-0403 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0403 [ 12 ] CVE-2015-0406 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0406 [ 13 ] CVE-2015-0407 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0407 [ 14 ] CVE-2015-0408 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0408 [ 15 ] CVE-2015-0410 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0410 [ 16 ] CVE-2015-0412 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0412 [ 17 ] CVE-2015-0413 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0413 [ 18 ] CVE-2015-0421 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0421

    Availability

    This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

    https://security.gentoo.org/glsa/201507-14

    Concerns?

    Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

    License

    Copyright 2015 Gentoo Foundation, Inc; referenced text belongs to its owner(s).

    The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.

    http://creativecommons.org/licenses/by-sa/2.5 .

    HP CMS: UCMDB Browser all supported versions. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

    ===================================================================== Red Hat Security Advisory

    Synopsis: Critical: java-1.7.0-ibm security update Advisory ID: RHSA-2014:1876-01 Product: Red Hat Enterprise Linux Supplementary Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-1876.html Issue date: 2014-11-19 CVE Names: CVE-2014-3065 CVE-2014-3566 CVE-2014-4288 CVE-2014-6456 CVE-2014-6457 CVE-2014-6458 CVE-2014-6476 CVE-2014-6492 CVE-2014-6493 CVE-2014-6502 CVE-2014-6503 CVE-2014-6506 CVE-2014-6511 CVE-2014-6512 CVE-2014-6515 CVE-2014-6527 CVE-2014-6531 CVE-2014-6532 CVE-2014-6558 =====================================================================

    1. Summary:

    Updated java-1.7.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 Supplementary.

    Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

    1. Relevant releases/architectures:

    Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, ppc, s390x, x86_64

    1. Description:

    IBM Java SE version 7 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.

    This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Detailed vulnerability descriptions are linked from the IBM Security alerts page, listed in the References section. (CVE-2014-3065, CVE-2014-3566, CVE-2014-4288, CVE-2014-6456, CVE-2014-6457, CVE-2014-6458, CVE-2014-6476, CVE-2014-6492, CVE-2014-6493, CVE-2014-6502, CVE-2014-6503, CVE-2014-6506, CVE-2014-6511, CVE-2014-6512, CVE-2014-6515, CVE-2014-6527, CVE-2014-6531, CVE-2014-6532, CVE-2014-6558)

    The CVE-2014-6512 issue was discovered by Florian Weimer of Red Hat Product Security.

    Note: With this update, the IBM SDK now disables the SSL 3.0 protocol to address the CVE-2014-3566 issue (also known as POODLE). Refer to the IBM article linked to in the References section for additional details about this change and instructions on how to re-enable SSL 3.0 support if needed.

    All users of java-1.7.0-ibm are advised to upgrade to these updated packages, containing the IBM Java SE 7 SR8 release. All running instances of IBM Java must be restarted for the update to take effect.

    1. Solution:

    Before applying this update, make sure all previously released errata relevant to your system have been applied.

    This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258

    1. Bugs fixed (https://bugzilla.redhat.com/):

    1071210 - CVE-2014-6512 OpenJDK: DatagramSocket connected socket missing source check (Libraries, 8039509) 1150155 - CVE-2014-6506 OpenJDK: insufficient permission checks when setting resource bundle on system logger (Libraries, 8041564) 1150651 - CVE-2014-6531 OpenJDK: insufficient ResourceBundle name check (Libraries, 8044274) 1150669 - CVE-2014-6502 OpenJDK: LogRecord use of incorrect CL when loading ResourceBundle (Libraries, 8042797) 1151046 - CVE-2014-6457 OpenJDK: Triple Handshake attack against TLS/SSL connections (JSSE, 8037066) 1151063 - CVE-2014-6558 OpenJDK: CipherInputStream incorrect exception handling (Security, 8037846) 1151517 - CVE-2014-6511 ICU: Layout Engine ContextualSubstitution missing boundary checks (JDK 2D, 8041540) 1152756 - CVE-2014-6532 Oracle JDK: unspecified vulnerability fixed in 6u85, 7u71 and 8u25 (Deployment) 1152757 - CVE-2014-6503 Oracle JDK: unspecified vulnerability fixed in 6u85, 7u71 and 8u25 (Deployment) 1152758 - CVE-2014-6456 Oracle JDK: unspecified vulnerability fixed in 7u71 and 8u25 (Deployment) 1152759 - CVE-2014-6492 Oracle JDK: unspecified vulnerability fixed in 6u85, 7u71 and 8u25 (Deployment) 1152760 - CVE-2014-6493 Oracle JDK: unspecified vulnerability fixed in 6u85, 7u71 and 8u25 (Deployment) 1152761 - CVE-2014-4288 Oracle JDK: unspecified vulnerability fixed in 6u85, 7u71 and 8u25 (Deployment) 1152763 - CVE-2014-6458 Oracle JDK: unspecified vulnerability fixed in 6u85, 7u71 and 8u25 (Deployment) 1152765 - CVE-2014-6476 Oracle JDK: unspecified vulnerability fixed in 7u71 and 8u25 (Deployment) 1152766 - CVE-2014-6515 Oracle JDK: unspecified vulnerability fixed in 6u85, 7u71 and 8u25 (Deployment) 1152767 - CVE-2014-6527 Oracle JDK: unspecified vulnerability fixed in 7u71 and 8u25 (Deployment) 1152789 - CVE-2014-3566 SSL/TLS: Padding Oracle On Downgraded Legacy Encryption attack 1162554 - CVE-2014-3065 IBM JDK: privilege escalation via shared class cache

    1. Package List:

    Red Hat Enterprise Linux Desktop Supplementary (v. 5):

    i386: java-1.7.0-ibm-1.7.0.8.0-1jpp.1.el5.i386.rpm java-1.7.0-ibm-demo-1.7.0.8.0-1jpp.1.el5.i386.rpm java-1.7.0-ibm-devel-1.7.0.8.0-1jpp.1.el5.i386.rpm java-1.7.0-ibm-jdbc-1.7.0.8.0-1jpp.1.el5.i386.rpm java-1.7.0-ibm-plugin-1.7.0.8.0-1jpp.1.el5.i386.rpm java-1.7.0-ibm-src-1.7.0.8.0-1jpp.1.el5.i386.rpm

    x86_64: java-1.7.0-ibm-1.7.0.8.0-1jpp.1.el5.i386.rpm java-1.7.0-ibm-1.7.0.8.0-1jpp.1.el5.x86_64.rpm java-1.7.0-ibm-demo-1.7.0.8.0-1jpp.1.el5.i386.rpm java-1.7.0-ibm-demo-1.7.0.8.0-1jpp.1.el5.x86_64.rpm java-1.7.0-ibm-devel-1.7.0.8.0-1jpp.1.el5.i386.rpm java-1.7.0-ibm-devel-1.7.0.8.0-1jpp.1.el5.x86_64.rpm java-1.7.0-ibm-jdbc-1.7.0.8.0-1jpp.1.el5.i386.rpm java-1.7.0-ibm-jdbc-1.7.0.8.0-1jpp.1.el5.x86_64.rpm java-1.7.0-ibm-plugin-1.7.0.8.0-1jpp.1.el5.i386.rpm java-1.7.0-ibm-plugin-1.7.0.8.0-1jpp.1.el5.x86_64.rpm java-1.7.0-ibm-src-1.7.0.8.0-1jpp.1.el5.i386.rpm java-1.7.0-ibm-src-1.7.0.8.0-1jpp.1.el5.x86_64.rpm

    Red Hat Enterprise Linux Server Supplementary (v. 5):

    i386: java-1.7.0-ibm-1.7.0.8.0-1jpp.1.el5.i386.rpm java-1.7.0-ibm-demo-1.7.0.8.0-1jpp.1.el5.i386.rpm java-1.7.0-ibm-devel-1.7.0.8.0-1jpp.1.el5.i386.rpm java-1.7.0-ibm-jdbc-1.7.0.8.0-1jpp.1.el5.i386.rpm java-1.7.0-ibm-plugin-1.7.0.8.0-1jpp.1.el5.i386.rpm java-1.7.0-ibm-src-1.7.0.8.0-1jpp.1.el5.i386.rpm

    ppc: java-1.7.0-ibm-1.7.0.8.0-1jpp.1.el5.ppc.rpm java-1.7.0-ibm-1.7.0.8.0-1jpp.1.el5.ppc64.rpm java-1.7.0-ibm-demo-1.7.0.8.0-1jpp.1.el5.ppc.rpm java-1.7.0-ibm-demo-1.7.0.8.0-1jpp.1.el5.ppc64.rpm java-1.7.0-ibm-devel-1.7.0.8.0-1jpp.1.el5.ppc.rpm java-1.7.0-ibm-devel-1.7.0.8.0-1jpp.1.el5.ppc64.rpm java-1.7.0-ibm-jdbc-1.7.0.8.0-1jpp.1.el5.ppc.rpm java-1.7.0-ibm-jdbc-1.7.0.8.0-1jpp.1.el5.ppc64.rpm java-1.7.0-ibm-plugin-1.7.0.8.0-1jpp.1.el5.ppc.rpm java-1.7.0-ibm-src-1.7.0.8.0-1jpp.1.el5.ppc.rpm java-1.7.0-ibm-src-1.7.0.8.0-1jpp.1.el5.ppc64.rpm

    s390x: java-1.7.0-ibm-1.7.0.8.0-1jpp.1.el5.s390.rpm java-1.7.0-ibm-1.7.0.8.0-1jpp.1.el5.s390x.rpm java-1.7.0-ibm-demo-1.7.0.8.0-1jpp.1.el5.s390.rpm java-1.7.0-ibm-demo-1.7.0.8.0-1jpp.1.el5.s390x.rpm java-1.7.0-ibm-devel-1.7.0.8.0-1jpp.1.el5.s390.rpm java-1.7.0-ibm-devel-1.7.0.8.0-1jpp.1.el5.s390x.rpm java-1.7.0-ibm-jdbc-1.7.0.8.0-1jpp.1.el5.s390.rpm java-1.7.0-ibm-jdbc-1.7.0.8.0-1jpp.1.el5.s390x.rpm java-1.7.0-ibm-src-1.7.0.8.0-1jpp.1.el5.s390.rpm java-1.7.0-ibm-src-1.7.0.8.0-1jpp.1.el5.s390x.rpm

    x86_64: java-1.7.0-ibm-1.7.0.8.0-1jpp.1.el5.i386.rpm java-1.7.0-ibm-1.7.0.8.0-1jpp.1.el5.x86_64.rpm java-1.7.0-ibm-demo-1.7.0.8.0-1jpp.1.el5.i386.rpm java-1.7.0-ibm-demo-1.7.0.8.0-1jpp.1.el5.x86_64.rpm java-1.7.0-ibm-devel-1.7.0.8.0-1jpp.1.el5.i386.rpm java-1.7.0-ibm-devel-1.7.0.8.0-1jpp.1.el5.x86_64.rpm java-1.7.0-ibm-jdbc-1.7.0.8.0-1jpp.1.el5.i386.rpm java-1.7.0-ibm-jdbc-1.7.0.8.0-1jpp.1.el5.x86_64.rpm java-1.7.0-ibm-plugin-1.7.0.8.0-1jpp.1.el5.i386.rpm java-1.7.0-ibm-plugin-1.7.0.8.0-1jpp.1.el5.x86_64.rpm java-1.7.0-ibm-src-1.7.0.8.0-1jpp.1.el5.i386.rpm java-1.7.0-ibm-src-1.7.0.8.0-1jpp.1.el5.x86_64.rpm

    These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/

    1. References:

    https://access.redhat.com/security/cve/CVE-2014-3065 https://access.redhat.com/security/cve/CVE-2014-3566 https://access.redhat.com/security/cve/CVE-2014-4288 https://access.redhat.com/security/cve/CVE-2014-6456 https://access.redhat.com/security/cve/CVE-2014-6457 https://access.redhat.com/security/cve/CVE-2014-6458 https://access.redhat.com/security/cve/CVE-2014-6476 https://access.redhat.com/security/cve/CVE-2014-6492 https://access.redhat.com/security/cve/CVE-2014-6493 https://access.redhat.com/security/cve/CVE-2014-6502 https://access.redhat.com/security/cve/CVE-2014-6503 https://access.redhat.com/security/cve/CVE-2014-6506 https://access.redhat.com/security/cve/CVE-2014-6511 https://access.redhat.com/security/cve/CVE-2014-6512 https://access.redhat.com/security/cve/CVE-2014-6515 https://access.redhat.com/security/cve/CVE-2014-6527 https://access.redhat.com/security/cve/CVE-2014-6531 https://access.redhat.com/security/cve/CVE-2014-6532 https://access.redhat.com/security/cve/CVE-2014-6558 https://access.redhat.com/security/updates/classification/#critical https://www.ibm.com/developerworks/java/jdk/alerts/ https://www-01.ibm.com/support/docview.wss?uid=swg21688165

    1. Contact:

    The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/

    Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1

    iD8DBQFUbOWGXlSAg2UNWIIRAhPmAJ96YO5JFEg4GS1MkDIeXQkRxbN0hACgoUiY ehbScogUJnSordhBH11LgWQ= =ko7F -----END PGP SIGNATURE-----

    -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce .

    ftp://ssl098zc:Secure12@ftp.usa.hp.com

    User name: ssl098zc Password: (NOTE: Case sensitive) Secure12

    HP-UX Release HP-UX OpenSSL version

    B.11.11 (11i v1) A.00.09.08zc.001_HP-UX_B.11.11_32+64.depot

    B.11.23 (11i v2) A.00.09.08zc.002_HP-UX_B.11.23_IA-PA.depot

    B.11.31 (11i v3) A.00.09.08zc.003_HP-UX_B.11.31_IA-PA.depot

    MANUAL ACTIONS: Yes - Update

    Install OpenSSL A.00.09.08zc or subsequent

    PRODUCT SPECIFIC INFORMATION

    HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa

    The following text is for use by the HP-UX Software Assistant.

    The update is available from HPE Software Depot: https://h20392.www2.hpe.com/ portal/swdepot/displayProductInfo.do?productNumber=HPVPRhttps://www.hpe.com

    Note: HPE recommends customers using OV4VC 7.8.1 and earlier should upgrade to OV4VC 7.8.2. This addresses all SSL security vulnerabilities reported through March 28, 2016. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

    Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04496538

    SUPPORT COMMUNICATION - SECURITY BULLETIN

    Document ID: c04496538 Version: 1

    HPSBGN03164 rev.1 - HP IceWall SSO Dfw, SSO Certd and MCRP running OpenSSL, Remote Disclosure of Information

    NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.

    Release Date: 2014-11-10 Last Updated: 2014-11-10

    Potential Security Impact: Remote disclosure of information

    Source: Hewlett-Packard Company, HP Software Security Response Team

    VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP IceWall SSO Dfw , SSO Certd, and MCRP running OpenSSL.

    This is the SSLv3 vulnerability known as "Padding Oracle on Downgraded Legacy Encryption" or "Poodle", which could be exploited remotely resulting in disclosure of information..

    References: CVE-2014-3566 (SSRT101789)

    SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

    • HP IceWall MCRP v2.1, v3.0
    • HP IceWall SSO Dfw v8.0, v8.0 R1, v8.0 R2, v8.0 R3, and v10.0
    • HP IceWall SSO Certd v8.0R3 with DB plugin patch 2 and v10.0

    BACKGROUND

    CVSS 2.0 Base Metrics

    Reference Base Vector Base Score CVE-2014-3566 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002

    RESOLUTION

    HP recommends the following software updates and workaround instructions to resolve this vulnerability for HP IceWall SSO Dfw, SSO Certd, and MCRP.

    The software updates are available at:

     http://www.hp.com/jp/icewall_patchaccess
    

    Notes:

    - There are no updates or mitigations for MCRP 2.1 and Dfw
    

    8.0/8.0R1/8.0R2/8.0R3. - HP recommends updating these older versions to the latest versions and patches and then following the WORKAROUND INSTRUCTIONS below. - The WORKAROUND INSTRUCTIONS should be followed after applying the following updates.

    Software Update Versions

    HP IceWall MCRP 3.0 Patch release 1
    
    HP IceWall SSO Dfw 10.0 Patch release 7
    

    Note: Both software update versions provide the use of TLSv1 which is not vulnerable and available for each supported platform.

    WORKAROUND INSTRUCTIONS

    HP recommends the following information to protect against potential risk for the following HP IceWall products.

    HP IceWall SSO Dfw and MCRP
    
      - If possible, do not use the SHOST setting which allows IceWall SSO
    

    Dfw or MCRP to use SSL/TLS protocol to back-end web servers.

      - The following steps should be applied if SSL/TLS protocol to back-end
    

    web servers must be used:

        o For MCRP: apply MCRP patch release 1
        o For Dfw: apply Dfw patch release 7 or later
        o Set SSL_PROTOCOL parameter to TLSv1
    
    HP IceWall SSO Certd
    
      - For Certd version 10.0 and 8.0R3: apply DB plugin patch release 2
    
      - If possible, do not use the LDAPSSL setting which allows IceWall SSO
    

    Certd to connect to the LDAP server using SSL/TLS protocol.

      - If SSL/TLS protocol must be used to LDAP server, configure the LDAP
    

    server to use only TLSv1 as a mitigation for the vulnerability. For example, on an OpenLDAP server (slapd), Set the TLSProtocolMin parameter.

    Note: The HP IceWall product is only available in Japan.

    HISTORY Version:1 (rev.1) - 10 November 2014 Initial release

    Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.

    Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com.

    Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com

    Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins

    Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/

    Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB.

    3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX

    Copyright 2014 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.

    HP SiteScope 11.1x HP SiteScope 11.2x

    Important note: HP SiteScope is impacted if and only if it is configured to work over secure channel (HTTPS). This protocol is now disabled by default.

    For the oldstable distribution (wheezy), this problem has been fixed in version 1.4.31-4+deb7u4.

    We recommend that you upgrade your lighttpd packages

    Show details on source website

    {
      "affected_products": {
        "_id": null,
        "data": [
          {
            "_id": null,
            "model": "aix",
            "scope": "eq",
            "trust": 1.3,
            "vendor": "ibm",
            "version": "6.1"
          },
          {
            "_id": null,
            "model": "aix",
            "scope": "eq",
            "trust": 1.3,
            "vendor": "ibm",
            "version": "5.3"
          },
          {
            "_id": null,
            "model": "aix",
            "scope": "eq",
            "trust": 1.3,
            "vendor": "ibm",
            "version": "7.1"
          },
          {
            "_id": null,
            "model": "suse linux enterprise software development kit",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "novell",
            "version": "11.0"
          },
          {
            "_id": null,
            "model": "openssl",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "openssl",
            "version": "0.9.8u"
          },
          {
            "_id": null,
            "model": "openssl",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "openssl",
            "version": "0.9.8o"
          },
          {
            "_id": null,
            "model": "opensuse",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "opensuse",
            "version": "12.3"
          },
          {
            "_id": null,
            "model": "openssl",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "openssl",
            "version": "0.9.8w"
          },
          {
            "_id": null,
            "model": "openssl",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "openssl",
            "version": "1.0.0d"
          },
          {
            "_id": null,
            "model": "openssl",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "openssl",
            "version": "1.0.1f"
          },
          {
            "_id": null,
            "model": "vios",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ibm",
            "version": "2.2.1.9"
          },
          {
            "_id": null,
            "model": "suse linux enterprise server",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "novell",
            "version": "11.0"
          },
          {
            "_id": null,
            "model": "netbsd",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "netbsd",
            "version": "6.0.5"
          },
          {
            "_id": null,
            "model": "enterprise linux server supplementary",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "redhat",
            "version": "7.0"
          },
          {
            "_id": null,
            "model": "suse linux enterprise server",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "novell",
            "version": "12.0"
          },
          {
            "_id": null,
            "model": "enterprise linux server",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "redhat",
            "version": "7.0"
          },
          {
            "_id": null,
            "model": "enterprise linux server supplementary",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "redhat",
            "version": "6.0"
          },
          {
            "_id": null,
            "model": "openssl",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "openssl",
            "version": "0.9.8x"
          },
          {
            "_id": null,
            "model": "fedora",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "fedoraproject",
            "version": "21"
          },
          {
            "_id": null,
            "model": "enterprise linux desktop supplementary",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "redhat",
            "version": "5.0"
          },
          {
            "_id": null,
            "model": "openssl",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "openssl",
            "version": "0.9.8"
          },
          {
            "_id": null,
            "model": "openssl",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "openssl",
            "version": "0.9.8za"
          },
          {
            "_id": null,
            "model": "openssl",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "openssl",
            "version": "1.0.0b"
          },
          {
            "_id": null,
            "model": "fedora",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "fedoraproject",
            "version": "19"
          },
          {
            "_id": null,
            "model": "enterprise linux server",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "redhat",
            "version": "6.0"
          },
          {
            "_id": null,
            "model": "openssl",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "openssl",
            "version": "1.0.0m"
          },
          {
            "_id": null,
            "model": "opensuse",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "opensuse",
            "version": "13.1"
          },
          {
            "_id": null,
            "model": "netbsd",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "netbsd",
            "version": "6.0.1"
          },
          {
            "_id": null,
            "model": "openssl",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "openssl",
            "version": "0.9.8p"
          },
          {
            "_id": null,
            "model": "netbsd",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "netbsd",
            "version": "5.1.2"
          },
          {
            "_id": null,
            "model": "linux",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "debian",
            "version": "8.0"
          },
          {
            "_id": null,
            "model": "vios",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ibm",
            "version": "2.2.1.0"
          },
          {
            "_id": null,
            "model": "database",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "11.2.0.4"
          },
          {
            "_id": null,
            "model": "vios",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ibm",
            "version": "2.2.1.7"
          },
          {
            "_id": null,
            "model": "enterprise linux",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "redhat",
            "version": "5"
          },
          {
            "_id": null,
            "model": "enterprise linux workstation",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "redhat",
            "version": "7.0"
          },
          {
            "_id": null,
            "model": "openssl",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "openssl",
            "version": "0.9.8d"
          },
          {
            "_id": null,
            "model": "openssl",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "openssl",
            "version": "1.0.1b"
          },
          {
            "_id": null,
            "model": "netbsd",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "netbsd",
            "version": "6.0.4"
          },
          {
            "_id": null,
            "model": "openssl",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "openssl",
            "version": "0.9.8z"
          },
          {
            "_id": null,
            "model": "netbsd",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "netbsd",
            "version": "6.1.5"
          },
          {
            "_id": null,
            "model": "mac os x",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "apple",
            "version": "10.10.1"
          },
          {
            "_id": null,
            "model": "enterprise linux workstation",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "redhat",
            "version": "6.0"
          },
          {
            "_id": null,
            "model": "netbsd",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "netbsd",
            "version": "6.1"
          },
          {
            "_id": null,
            "model": "suse linux enterprise desktop",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "novell",
            "version": "12.0"
          },
          {
            "_id": null,
            "model": "suse linux enterprise desktop",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "novell",
            "version": "10.0"
          },
          {
            "_id": null,
            "model": "openssl",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "openssl",
            "version": "0.9.8v"
          },
          {
            "_id": null,
            "model": "netbsd",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "netbsd",
            "version": "6.1.3"
          },
          {
            "_id": null,
            "model": "vios",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ibm",
            "version": "2.2.0.12"
          },
          {
            "_id": null,
            "model": "openssl",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "openssl",
            "version": "1.0.1h"
          },
          {
            "_id": null,
            "model": "vios",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ibm",
            "version": "2.2.1.3"
          },
          {
            "_id": null,
            "model": "mageia",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "mageia",
            "version": "3.0"
          },
          {
            "_id": null,
            "model": "openssl",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "openssl",
            "version": "1.0.0j"
          },
          {
            "_id": null,
            "model": "enterprise linux desktop",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "redhat",
            "version": "7.0"
          },
          {
            "_id": null,
            "model": "vios",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ibm",
            "version": "2.2.2.5"
          },
          {
            "_id": null,
            "model": "openssl",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "openssl",
            "version": "0.9.8zb"
          },
          {
            "_id": null,
            "model": "openssl",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "openssl",
            "version": "1.0.1e"
          },
          {
            "_id": null,
            "model": "vios",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ibm",
            "version": "2.2.1.4"
          },
          {
            "_id": null,
            "model": "netbsd",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "netbsd",
            "version": "5.1"
          },
          {
            "_id": null,
            "model": "openssl",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "openssl",
            "version": "0.9.8e"
          },
          {
            "_id": null,
            "model": "vios",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ibm",
            "version": "2.2.0.11"
          },
          {
            "_id": null,
            "model": "netbsd",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "netbsd",
            "version": "6.0.3"
          },
          {
            "_id": null,
            "model": "openssl",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "openssl",
            "version": "0.9.8q"
          },
          {
            "_id": null,
            "model": "openssl",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "openssl",
            "version": "1.0.0f"
          },
          {
            "_id": null,
            "model": "openssl",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "openssl",
            "version": "1.0.0n"
          },
          {
            "_id": null,
            "model": "openssl",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "openssl",
            "version": "1.0.1i"
          },
          {
            "_id": null,
            "model": "openssl",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "openssl",
            "version": "0.9.8f"
          },
          {
            "_id": null,
            "model": "vios",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ibm",
            "version": "2.2.0.10"
          },
          {
            "_id": null,
            "model": "netbsd",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "netbsd",
            "version": "6.0"
          },
          {
            "_id": null,
            "model": "suse linux enterprise software development kit",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "novell",
            "version": "12.0"
          },
          {
            "_id": null,
            "model": "vios",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ibm",
            "version": "2.2.1.5"
          },
          {
            "_id": null,
            "model": "vios",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ibm",
            "version": "2.2.2.3"
          },
          {
            "_id": null,
            "model": "enterprise linux workstation supplementary",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "redhat",
            "version": "7.0"
          },
          {
            "_id": null,
            "model": "suse linux enterprise desktop",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "novell",
            "version": "9.0"
          },
          {
            "_id": null,
            "model": "openssl",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "openssl",
            "version": "0.9.8g"
          },
          {
            "_id": null,
            "model": "openssl",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "openssl",
            "version": "0.9.8l"
          },
          {
            "_id": null,
            "model": "openssl",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "openssl",
            "version": "1.0.0e"
          },
          {
            "_id": null,
            "model": "vios",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ibm",
            "version": "2.2.3.0"
          },
          {
            "_id": null,
            "model": "openssl",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "openssl",
            "version": "0.9.8k"
          },
          {
            "_id": null,
            "model": "netbsd",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "netbsd",
            "version": "5.1.4"
          },
          {
            "_id": null,
            "model": "linux",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "debian",
            "version": "7.0"
          },
          {
            "_id": null,
            "model": "enterprise linux workstation supplementary",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "redhat",
            "version": "6.0"
          },
          {
            "_id": null,
            "model": "openssl",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "openssl",
            "version": "0.9.8i"
          },
          {
            "_id": null,
            "model": "vios",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ibm",
            "version": "2.2.2.2"
          },
          {
            "_id": null,
            "model": "openssl",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "openssl",
            "version": "1.0.0k"
          },
          {
            "_id": null,
            "model": "openssl",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "openssl",
            "version": "0.9.8a"
          },
          {
            "_id": null,
            "model": "openssl",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "openssl",
            "version": "1.0.1d"
          },
          {
            "_id": null,
            "model": "vios",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ibm",
            "version": "2.2.3.2"
          },
          {
            "_id": null,
            "model": "netbsd",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "netbsd",
            "version": "6.0.6"
          },
          {
            "_id": null,
            "model": "enterprise linux desktop supplementary",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "redhat",
            "version": "6.0"
          },
          {
            "_id": null,
            "model": "openssl",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "openssl",
            "version": "1.0.1c"
          },
          {
            "_id": null,
            "model": "openssl",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "openssl",
            "version": "0.9.8r"
          },
          {
            "_id": null,
            "model": "openssl",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "openssl",
            "version": "0.9.8t"
          },
          {
            "_id": null,
            "model": "vios",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ibm",
            "version": "2.2.2.4"
          },
          {
            "_id": null,
            "model": "openssl",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "openssl",
            "version": "1.0.0g"
          },
          {
            "_id": null,
            "model": "openssl",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "openssl",
            "version": "0.9.8m"
          },
          {
            "_id": null,
            "model": "openssl",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "openssl",
            "version": "1.0.1g"
          },
          {
            "_id": null,
            "model": "vios",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ibm",
            "version": "2.2.0.13"
          },
          {
            "_id": null,
            "model": "openssl",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "openssl",
            "version": "0.9.8n"
          },
          {
            "_id": null,
            "model": "enterprise linux server supplementary",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "redhat",
            "version": "5.0"
          },
          {
            "_id": null,
            "model": "openssl",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "openssl",
            "version": "0.9.8j"
          },
          {
            "_id": null,
            "model": "openssl",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "openssl",
            "version": "1.0.0"
          },
          {
            "_id": null,
            "model": "openssl",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "openssl",
            "version": "1.0.0h"
          },
          {
            "_id": null,
            "model": "netbsd",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "netbsd",
            "version": "6.1.4"
          },
          {
            "_id": null,
            "model": "vios",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ibm",
            "version": "2.2.3.4"
          },
          {
            "_id": null,
            "model": "netbsd",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "netbsd",
            "version": "5.1.3"
          },
          {
            "_id": null,
            "model": "suse linux enterprise desktop",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "novell",
            "version": "11.0"
          },
          {
            "_id": null,
            "model": "openssl",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "openssl",
            "version": "0.9.8c"
          },
          {
            "_id": null,
            "model": "openssl",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "openssl",
            "version": "1.0.0a"
          },
          {
            "_id": null,
            "model": "vios",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ibm",
            "version": "2.2.3.3"
          },
          {
            "_id": null,
            "model": "netbsd",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "netbsd",
            "version": "5.2.1"
          },
          {
            "_id": null,
            "model": "mageia",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "mageia",
            "version": "4.0"
          },
          {
            "_id": null,
            "model": "openssl",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "openssl",
            "version": "0.9.8b"
          },
          {
            "_id": null,
            "model": "openssl",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "openssl",
            "version": "0.9.8s"
          },
          {
            "_id": null,
            "model": "vios",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ibm",
            "version": "2.2.2.0"
          },
          {
            "_id": null,
            "model": "database",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "oracle",
            "version": "12.1.0.2"
          },
          {
            "_id": null,
            "model": "openssl",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "openssl",
            "version": "1.0.0l"
          },
          {
            "_id": null,
            "model": "netbsd",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "netbsd",
            "version": "5.2"
          },
          {
            "_id": null,
            "model": "openssl",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "openssl",
            "version": "0.9.8h"
          },
          {
            "_id": null,
            "model": "openssl",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "openssl",
            "version": "0.9.8y"
          },
          {
            "_id": null,
            "model": "openssl",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "openssl",
            "version": "1.0.1"
          },
          {
            "_id": null,
            "model": "vios",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ibm",
            "version": "2.2.1.1"
          },
          {
            "_id": null,
            "model": "vios",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ibm",
            "version": "2.2.1.6"
          },
          {
            "_id": null,
            "model": "vios",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ibm",
            "version": "2.2.3.1"
          },
          {
            "_id": null,
            "model": "vios",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ibm",
            "version": "2.2.1.8"
          },
          {
            "_id": null,
            "model": "openssl",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "openssl",
            "version": "1.0.0c"
          },
          {
            "_id": null,
            "model": "netbsd",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "netbsd",
            "version": "6.1.2"
          },
          {
            "_id": null,
            "model": "enterprise linux desktop",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "redhat",
            "version": "6.0"
          },
          {
            "_id": null,
            "model": "netbsd",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "netbsd",
            "version": "5.2.2"
          },
          {
            "_id": null,
            "model": "netbsd",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "netbsd",
            "version": "6.1.1"
          },
          {
            "_id": null,
            "model": "openssl",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "openssl",
            "version": "1.0.0i"
          },
          {
            "_id": null,
            "model": "fedora",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "fedoraproject",
            "version": "20"
          },
          {
            "_id": null,
            "model": "openssl",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "openssl",
            "version": "1.0.1a"
          },
          {
            "_id": null,
            "model": "vios",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ibm",
            "version": "2.2.2.1"
          },
          {
            "_id": null,
            "model": "netbsd",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "netbsd",
            "version": "5.1.1"
          },
          {
            "_id": null,
            "model": "netbsd",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "netbsd",
            "version": "6.0.2"
          },
          {
            "_id": null,
            "model": "system management homepage",
            "scope": "eq",
            "trust": 0.6,
            "vendor": "hp",
            "version": "6.1"
          },
          {
            "_id": null,
            "model": "rational clearquest",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "8.0.0.1"
          },
          {
            "_id": null,
            "model": "websphere application server",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "7.0.0.17"
          },
          {
            "_id": null,
            "model": "tv",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "4.2"
          },
          {
            "_id": null,
            "model": "windows vista service pack",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "microsoft",
            "version": "20"
          },
          {
            "_id": null,
            "model": "websphere application server",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "7.0.12"
          },
          {
            "_id": null,
            "model": "project openssl 0.9.8f",
            "scope": null,
            "trust": 0.3,
            "vendor": "openssl",
            "version": null
          },
          {
            "_id": null,
            "model": "fortigate",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "fortinet",
            "version": "4.3.6"
          },
          {
            "_id": null,
            "model": "integrated lights out",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "hp",
            "version": "21.16"
          },
          {
            "_id": null,
            "model": "project openssl 1.0.0d",
            "scope": null,
            "trust": 0.3,
            "vendor": "openssl",
            "version": null
          },
          {
            "_id": null,
            "model": "tivoli provisioning manager for os deployment 5.1.fix pack",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "3"
          },
          {
            "_id": null,
            "model": "websphere mq",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "7.0.1.0"
          },
          {
            "_id": null,
            "model": "version control repository manager",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "hp",
            "version": "2.1.8.780"
          },
          {
            "_id": null,
            "model": "project openssl 1.0.1a",
            "scope": null,
            "trust": 0.3,
            "vendor": "openssl",
            "version": null
          },
          {
            "_id": null,
            "model": "project openssl b",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "openssl",
            "version": "0.9.8"
          },
          {
            "_id": null,
            "model": "mac os",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "x10.5.7"
          },
          {
            "_id": null,
            "model": "tv",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "4.1"
          },
          {
            "_id": null,
            "model": "http server",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "7.0.11"
          },
          {
            "_id": null,
            "model": "aura application enablement services",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "6.1"
          },
          {
            "_id": null,
            "model": "aura session manager",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "6.2.1"
          },
          {
            "_id": null,
            "model": "ios",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "4.0.1"
          },
          {
            "_id": null,
            "model": "mac os",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "x10.3.1"
          },
          {
            "_id": null,
            "model": "meeting exchange sp1",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "5.1"
          },
          {
            "_id": null,
            "model": "project openssl k",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "openssl",
            "version": "0.9.8"
          },
          {
            "_id": null,
            "model": "rational software architect",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "7.5"
          },
          {
            "_id": null,
            "model": "project openssl 1.0.0g",
            "scope": null,
            "trust": 0.3,
            "vendor": "openssl",
            "version": null
          },
          {
            "_id": null,
            "model": "websphere application server",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "7.0.0.5"
          },
          {
            "_id": null,
            "model": "mac os",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "x10.1"
          },
          {
            "_id": null,
            "model": "unified contact center enterprise",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "cisco",
            "version": "0"
          },
          {
            "_id": null,
            "model": "websphere application server",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "6.1"
          },
          {
            "_id": null,
            "model": "ios",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "4.2.10"
          },
          {
            "_id": null,
            "model": "rational team concert",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "3.0"
          },
          {
            "_id": null,
            "model": "websphere mq",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "7.0.1.1"
          },
          {
            "_id": null,
            "model": "phaser",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "xerox",
            "version": "78000"
          },
          {
            "_id": null,
            "model": "mac os",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "x10.1.3"
          },
          {
            "_id": null,
            "model": "hat enterprise linux supplementary server",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "red",
            "version": "5"
          },
          {
            "_id": null,
            "model": "version control agent",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "hp",
            "version": "6.1.0.842"
          },
          {
            "_id": null,
            "model": "hat enterprise linux hpc node",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "red",
            "version": "6"
          },
          {
            "_id": null,
            "model": "mac os",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "x10.2.4"
          },
          {
            "_id": null,
            "model": "aura communication manager",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "6.0"
          },
          {
            "_id": null,
            "model": "aura system manager",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "6.1.3"
          },
          {
            "_id": null,
            "model": "linux sparc",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "debian",
            "version": "6.0"
          },
          {
            "_id": null,
            "model": "tivoli provisioning manager",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "2.1"
          },
          {
            "_id": null,
            "model": "aura system platform",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "6.0"
          },
          {
            "_id": null,
            "model": "websphere application server",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "8.0"
          },
          {
            "_id": null,
            "model": "http server",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "7.0.0.5"
          },
          {
            "_id": null,
            "model": "web interface",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "citrix",
            "version": "4.0"
          },
          {
            "_id": null,
            "model": "ace appliance",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "cisco",
            "version": "47100"
          },
          {
            "_id": null,
            "model": "aura system platform sp2",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "6.0"
          },
          {
            "_id": null,
            "model": "project openssl 0.9.8w",
            "scope": null,
            "trust": 0.3,
            "vendor": "openssl",
            "version": null
          },
          {
            "_id": null,
            "model": "aura session manager sp1",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "5.2"
          },
          {
            "_id": null,
            "model": "mac os",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "x10.3.8"
          },
          {
            "_id": null,
            "model": "http server",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "6.1.15"
          },
          {
            "_id": null,
            "model": "operations agent",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "hp",
            "version": "11.0"
          },
          {
            "_id": null,
            "model": "nexus",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "cisco",
            "version": "70000"
          },
          {
            "_id": null,
            "model": "wireless location appliance",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "cisco",
            "version": "0"
          },
          {
            "_id": null,
            "model": "open source",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "asterisk",
            "version": "1.8.3.1"
          },
          {
            "_id": null,
            "model": "project openssl 0.9.8m",
            "scope": null,
            "trust": 0.3,
            "vendor": "openssl",
            "version": null
          },
          {
            "_id": null,
            "model": "mac os",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "x10.5.6"
          },
          {
            "_id": null,
            "model": "project openssl j",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "openssl",
            "version": "0.9.8"
          },
          {
            "_id": null,
            "model": "meeting exchange sp2",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "5.0"
          },
          {
            "_id": null,
            "model": "aura application server sip core",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "53002.0"
          },
          {
            "_id": null,
            "model": "http server",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "6.1.0.37"
          },
          {
            "_id": null,
            "model": "meeting exchange",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "5.0.0.52"
          },
          {
            "_id": null,
            "model": "mac os",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "x10.7.2"
          },
          {
            "_id": null,
            "model": "meeting exchange",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "6.0"
          },
          {
            "_id": null,
            "model": "ip office application server",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "8.0"
          },
          {
            "_id": null,
            "model": "mac os",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "x10.4.5"
          },
          {
            "_id": null,
            "model": "mac os",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "x10.5.4"
          },
          {
            "_id": null,
            "model": "mac os",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "x10.2.6"
          },
          {
            "_id": null,
            "model": "hat enterprise linux server supplementary",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "red",
            "version": "6"
          },
          {
            "_id": null,
            "model": "mac os",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "x10.3"
          },
          {
            "_id": null,
            "model": "tivoli directory server",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "6.1"
          },
          {
            "_id": null,
            "model": "mac os",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "x10.4.4"
          },
          {
            "_id": null,
            "model": "tivoli storage productivity center",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "4.2.1"
          },
          {
            "_id": null,
            "model": "project openssl",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "openssl",
            "version": "1.0"
          },
          {
            "_id": null,
            "model": "mac os",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "x10.0.2"
          },
          {
            "_id": null,
            "model": "aura messaging",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "6.0"
          },
          {
            "_id": null,
            "model": "aura session manager",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "6.1.2"
          },
          {
            "_id": null,
            "model": "websphere process server",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "7.0.4"
          },
          {
            "_id": null,
            "model": "commonstore for lotus domino",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "8.4"
          },
          {
            "_id": null,
            "model": "ios",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "4.2.7"
          },
          {
            "_id": null,
            "model": "aura system manager",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "5.2"
          },
          {
            "_id": null,
            "model": "web interface",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "citrix",
            "version": "3.0"
          },
          {
            "_id": null,
            "model": "project openssl 0.9.8r",
            "scope": null,
            "trust": 0.3,
            "vendor": "openssl",
            "version": null
          },
          {
            "_id": null,
            "model": "aura session manager",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "6.0"
          },
          {
            "_id": null,
            "model": "project openssl 0.9.8n",
            "scope": null,
            "trust": 0.3,
            "vendor": "openssl",
            "version": null
          },
          {
            "_id": null,
            "model": "ios",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "4.3.2"
          },
          {
            "_id": null,
            "model": "version control repository manager",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "hp",
            "version": "2.2.0.820"
          },
          {
            "_id": null,
            "model": "mac os",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "x10.5.5"
          },
          {
            "_id": null,
            "model": "aura system manager",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "6.1.1"
          },
          {
            "_id": null,
            "model": "mac os",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "x10.3.4"
          },
          {
            "_id": null,
            "model": "ios",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "5.1.1"
          },
          {
            "_id": null,
            "model": "project openssl beta4",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "openssl",
            "version": "1.0.0"
          },
          {
            "_id": null,
            "model": "rational policy tester",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "8.5"
          },
          {
            "_id": null,
            "model": "websphere lombardi edition",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "7.2.0"
          },
          {
            "_id": null,
            "model": "mac os",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "x10.4.1"
          },
          {
            "_id": null,
            "model": "hat enterprise linux desktop optional",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "red",
            "version": "6"
          },
          {
            "_id": null,
            "model": "mac os",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "x10.5.2"
          },
          {
            "_id": null,
            "model": "project openssl beta5",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "openssl",
            "version": "1.0.0"
          },
          {
            "_id": null,
            "model": "websphere application server",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "7.0.0.23"
          },
          {
            "_id": null,
            "model": "mac os",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "x10.4.3"
          },
          {
            "_id": null,
            "model": "ios",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "4.3.1"
          },
          {
            "_id": null,
            "model": "http server",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "6.1.0.13"
          },
          {
            "_id": null,
            "model": "ios",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "3.2"
          },
          {
            "_id": null,
            "model": "ios",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "4.2.6"
          },
          {
            "_id": null,
            "model": "tv",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "4.3"
          },
          {
            "_id": null,
            "model": "meeting exchange sp1",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "5.0"
          },
          {
            "_id": null,
            "model": "project openssl 0.9.8p",
            "scope": null,
            "trust": 0.3,
            "vendor": "openssl",
            "version": null
          },
          {
            "_id": null,
            "model": "http server",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "6.1.0"
          },
          {
            "_id": null,
            "model": "websphere application server",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "7.0.0.15"
          },
          {
            "_id": null,
            "model": "mac os",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "x10.1.1"
          },
          {
            "_id": null,
            "model": "version control repository manager",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "hp",
            "version": "2.2.1.830"
          },
          {
            "_id": null,
            "model": "http server",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "6.1.31"
          },
          {
            "_id": null,
            "model": "websphere application server",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "7.0.0.14"
          },
          {
            "_id": null,
            "model": "web experience factory",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "7.0"
          },
          {
            "_id": null,
            "model": "network collector",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "cisco",
            "version": "0"
          },
          {
            "_id": null,
            "model": "linux ia-64",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "debian",
            "version": "6.0"
          },
          {
            "_id": null,
            "model": "tv",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "5.0"
          },
          {
            "_id": null,
            "model": "enterprise linux",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "oracle",
            "version": "6.2"
          },
          {
            "_id": null,
            "model": "esxi",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "vmware",
            "version": "5.0"
          },
          {
            "_id": null,
            "model": "ios",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "4.0.2"
          },
          {
            "_id": null,
            "model": "ios",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "4.2"
          },
          {
            "_id": null,
            "model": "networks sa2000",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "juniper",
            "version": "0"
          },
          {
            "_id": null,
            "model": "hat enterprise linux server optional",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "red",
            "version": "6"
          },
          {
            "_id": null,
            "model": "websphere application server",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "7.0.9"
          },
          {
            "_id": null,
            "model": "websphere application server",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "7.0.13"
          },
          {
            "_id": null,
            "model": "directory pro",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "cosmicperl",
            "version": "10.0.3"
          },
          {
            "_id": null,
            "model": "http server",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "7.0.0.15"
          },
          {
            "_id": null,
            "model": "version control agent",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "hp",
            "version": "2.1.7.770"
          },
          {
            "_id": null,
            "model": "meeting exchange sp2",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "5.2"
          },
          {
            "_id": null,
            "model": "mac os",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "x10.03"
          },
          {
            "_id": null,
            "model": "web interface",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "citrix",
            "version": "4.5.1"
          },
          {
            "_id": null,
            "model": "tivoli storage productivity center",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "4.2.1.185"
          },
          {
            "_id": null,
            "model": "aura messaging",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "6.0.1"
          },
          {
            "_id": null,
            "model": "ios",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "4.1"
          },
          {
            "_id": null,
            "model": "project openssl 0.9.8q",
            "scope": null,
            "trust": 0.3,
            "vendor": "openssl",
            "version": null
          },
          {
            "_id": null,
            "model": "websphere application server",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "7.0.8"
          },
          {
            "_id": null,
            "model": "aura session manager sp1",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "6.1"
          },
          {
            "_id": null,
            "model": "networks sa6500 fips",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "juniper",
            "version": "0"
          },
          {
            "_id": null,
            "model": "windows server sp2",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "microsoft",
            "version": "2003x64"
          },
          {
            "_id": null,
            "model": "iq",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "5.2"
          },
          {
            "_id": null,
            "model": "aura presence services",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "6.1"
          },
          {
            "_id": null,
            "model": "websphere mq",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "7.0"
          },
          {
            "_id": null,
            "model": "ios",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "3.0"
          },
          {
            "_id": null,
            "model": "version control repository manager",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "hp",
            "version": "2.1.10.800"
          },
          {
            "_id": null,
            "model": "ssl for openvms",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "hp",
            "version": "1.4-453"
          },
          {
            "_id": null,
            "model": "windows server r2 for x64-based systems sp1",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "microsoft",
            "version": "2008"
          },
          {
            "_id": null,
            "model": "mac os",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "x10.4"
          },
          {
            "_id": null,
            "model": "mac os",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "x10.0"
          },
          {
            "_id": null,
            "model": "tv",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "4.4"
          },
          {
            "_id": null,
            "model": "mac os",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "x10.1.5"
          },
          {
            "_id": null,
            "model": "project openssl 1.0.1c",
            "scope": null,
            "trust": 0.3,
            "vendor": "openssl",
            "version": null
          },
          {
            "_id": null,
            "model": "ios",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "3.1"
          },
          {
            "_id": null,
            "model": "cics transaction gateway",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "8.0"
          },
          {
            "_id": null,
            "model": "mac os",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "x10.7.4"
          },
          {
            "_id": null,
            "model": "ios",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "4.3.5"
          },
          {
            "_id": null,
            "model": "http server",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "7.0.0.17"
          },
          {
            "_id": null,
            "model": "project openssl",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "openssl",
            "version": "0.9.8v"
          },
          {
            "_id": null,
            "model": "websphere lombardi edition",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "7.2"
          },
          {
            "_id": null,
            "model": "websphere application server",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "7.0.0.7"
          },
          {
            "_id": null,
            "model": "websphere application server",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "7.0.0.1"
          },
          {
            "_id": null,
            "model": "mac os",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "x10.2.5"
          },
          {
            "_id": null,
            "model": "mac os",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "x10.0.1"
          },
          {
            "_id": null,
            "model": "http server",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "6.1.27"
          },
          {
            "_id": null,
            "model": "hat enterprise linux desktop supplementary",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "red",
            "version": "6"
          },
          {
            "_id": null,
            "model": "windows server for x64-based systems sp2",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "microsoft",
            "version": "2008"
          },
          {
            "_id": null,
            "model": "project openssl 0.9.8g",
            "scope": null,
            "trust": 0.3,
            "vendor": "openssl",
            "version": null
          },
          {
            "_id": null,
            "model": "meeting exchange",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "5.0"
          },
          {
            "_id": null,
            "model": "mac os",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "x10.5.3"
          },
          {
            "_id": null,
            "model": "version control agent",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "hp",
            "version": "2.1.5"
          },
          {
            "_id": null,
            "model": "linux amd64",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "debian",
            "version": "6.0"
          },
          {
            "_id": null,
            "model": "mac os",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "x10.5"
          },
          {
            "_id": null,
            "model": "mac os",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "x10.1.2"
          },
          {
            "_id": null,
            "model": "meeting exchange sp1",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "5.2"
          },
          {
            "_id": null,
            "model": "version control repository manager",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "hp",
            "version": "6.2.0.860"
          },
          {
            "_id": null,
            "model": "lotus domino",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "8.0.2"
          },
          {
            "_id": null,
            "model": "project openssl beta2",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "openssl",
            "version": "1.0"
          },
          {
            "_id": null,
            "model": "http server",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "7.0.0.13"
          },
          {
            "_id": null,
            "model": "ios",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "4.2.1"
          },
          {
            "_id": null,
            "model": "mac os",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "x10.4.6"
          },
          {
            "_id": null,
            "model": "websphere application server",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "7.0.0.0"
          },
          {
            "_id": null,
            "model": "runtimes for java technology",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "5.0"
          },
          {
            "_id": null,
            "model": "linux mips",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "debian",
            "version": "6.0"
          },
          {
            "_id": null,
            "model": "hp-ux b.11.11",
            "scope": null,
            "trust": 0.3,
            "vendor": "hp",
            "version": null
          },
          {
            "_id": null,
            "model": "websphere application server",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "7.0.0.19"
          },
          {
            "_id": null,
            "model": "mac os",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "x10.4.8"
          },
          {
            "_id": null,
            "model": "mac os",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "x10.6"
          },
          {
            "_id": null,
            "model": "networks sa6000 fips",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "juniper",
            "version": "0"
          },
          {
            "_id": null,
            "model": "version control repository manager",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "hp",
            "version": "6.0.0.840"
          },
          {
            "_id": null,
            "model": "tv",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "1.0"
          },
          {
            "_id": null,
            "model": "hat enterprise linux desktop supplementary client",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "red",
            "version": "5"
          },
          {
            "_id": null,
            "model": "http server",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "8.0"
          },
          {
            "_id": null,
            "model": "http server",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "6.1.25"
          },
          {
            "_id": null,
            "model": "aura system manager",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "6.1"
          },
          {
            "_id": null,
            "model": "rational clearquest",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "7.1.2.5"
          },
          {
            "_id": null,
            "model": "aura system manager sp2",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "6.1"
          },
          {
            "_id": null,
            "model": "tivoli provisioning manager for os deployment",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "5.1.116"
          },
          {
            "_id": null,
            "model": "ios",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "5.0.1"
          },
          {
            "_id": null,
            "model": "project openssl 0.9.8l",
            "scope": null,
            "trust": 0.3,
            "vendor": "openssl",
            "version": null
          },
          {
            "_id": null,
            "model": "version control repository manager",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "hp",
            "version": "2.1.3.740"
          },
          {
            "_id": null,
            "model": "rational software architect",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "7.5.5.2"
          },
          {
            "_id": null,
            "model": "aura application enablement services",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "3.1.6"
          },
          {
            "_id": null,
            "model": "windows server itanium sp2",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "microsoft",
            "version": "2003"
          },
          {
            "_id": null,
            "model": "ediscovery analyzer",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "2.2"
          },
          {
            "_id": null,
            "model": "mac os",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "x10.2.3"
          },
          {
            "_id": null,
            "model": "ios",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "3.2.1"
          },
          {
            "_id": null,
            "model": "project openssl h",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "openssl",
            "version": "0.9.8"
          },
          {
            "_id": null,
            "model": "aura session manager",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "6.1.3"
          },
          {
            "_id": null,
            "model": "aura session manager sp2",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "5.2"
          },
          {
            "_id": null,
            "model": "ios",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "4.2.5"
          },
          {
            "_id": null,
            "model": "hat enterprise linux workstation supplementary",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "red",
            "version": "6"
          },
          {
            "_id": null,
            "model": "project openssl i",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "openssl",
            "version": "0.9.8"
          },
          {
            "_id": null,
            "model": "project openssl 1.0.0i",
            "scope": null,
            "trust": 0.3,
            "vendor": "openssl",
            "version": null
          },
          {
            "_id": null,
            "model": "web interface",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "citrix",
            "version": "5.0.2"
          },
          {
            "_id": null,
            "model": "meeting exchange",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "5.1"
          },
          {
            "_id": null,
            "model": "mac os",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "x10.3.2"
          },
          {
            "_id": null,
            "model": "hp-ux b.11.23",
            "scope": null,
            "trust": 0.3,
            "vendor": "hp",
            "version": null
          },
          {
            "_id": null,
            "model": "tivoli directory server",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "6.0"
          },
          {
            "_id": null,
            "model": "ios",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "4"
          },
          {
            "_id": null,
            "model": "websphere application server",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "8.0.0.1"
          },
          {
            "_id": null,
            "model": "ios",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "4.3"
          },
          {
            "_id": null,
            "model": "websphere application server",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "7.0"
          },
          {
            "_id": null,
            "model": "web interface",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "citrix",
            "version": "5.1"
          },
          {
            "_id": null,
            "model": "mac os",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "x10.3.9"
          },
          {
            "_id": null,
            "model": "enterprise linux",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "oracle",
            "version": "5"
          },
          {
            "_id": null,
            "model": "tivoli provisioning manager for os deployment intirim fix",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "5.133"
          },
          {
            "_id": null,
            "model": "iq",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "5.1.1"
          },
          {
            "_id": null,
            "model": "network automation",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "hp",
            "version": "9.10"
          },
          {
            "_id": null,
            "model": "aura application enablement services",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "5.2.3"
          },
          {
            "_id": null,
            "model": "project openssl 1.0.0e",
            "scope": null,
            "trust": 0.3,
            "vendor": "openssl",
            "version": null
          },
          {
            "_id": null,
            "model": "rational method composer",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "7.2"
          },
          {
            "_id": null,
            "model": "project openssl beta1",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "openssl",
            "version": "1.0"
          },
          {
            "_id": null,
            "model": "meeting exchange",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "5.2"
          },
          {
            "_id": null,
            "model": "aura communication manager utility services",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "6.1"
          },
          {
            "_id": null,
            "model": "mac os",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "x10.2"
          },
          {
            "_id": null,
            "model": "websphere application server",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "8.0.0.4"
          },
          {
            "_id": null,
            "model": "project openssl a",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "openssl",
            "version": "0.9.8"
          },
          {
            "_id": null,
            "model": "project openssl",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "openssl",
            "version": "0.9.8"
          },
          {
            "_id": null,
            "model": "tivoli directory server",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "6.3"
          },
          {
            "_id": null,
            "model": "version control agent",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "hp",
            "version": "2.1.4"
          },
          {
            "_id": null,
            "model": "sitescope",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "hp",
            "version": "11.1"
          },
          {
            "_id": null,
            "model": "mac os",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "x10.2.1"
          },
          {
            "_id": null,
            "model": "project openssl c",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "openssl",
            "version": "0.9.8"
          },
          {
            "_id": null,
            "model": "ssl for openvms",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "hp",
            "version": "1.4"
          },
          {
            "_id": null,
            "model": "version control repository manager",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "hp",
            "version": "2.2.2.835"
          },
          {
            "_id": null,
            "model": "http server",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "6.1.0.1"
          },
          {
            "_id": null,
            "model": "http server",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "6.1.0.35"
          },
          {
            "_id": null,
            "model": "hat enterprise linux desktop client",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "red",
            "version": "5"
          },
          {
            "_id": null,
            "model": "project openssl",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "openssl",
            "version": "0.9.8x"
          },
          {
            "_id": null,
            "model": "communication server 1000m",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "6.0"
          },
          {
            "_id": null,
            "model": "ios",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "2.1"
          },
          {
            "_id": null,
            "model": "mac os",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "x10.1.4"
          },
          {
            "_id": null,
            "model": "websphere mq",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "7.0.1.3"
          },
          {
            "_id": null,
            "model": "tivoli directory server",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "6.2"
          },
          {
            "_id": null,
            "model": "aura session manager",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "6.2"
          },
          {
            "_id": null,
            "model": "project openssl 0.9.8t",
            "scope": null,
            "trust": 0.3,
            "vendor": "openssl",
            "version": null
          },
          {
            "_id": null,
            "model": "http server",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "6.1.0.39"
          },
          {
            "_id": null,
            "model": "tivoli netcool/omnibus",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "7.3"
          },
          {
            "_id": null,
            "model": "websphere mq",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "7.0.1.4"
          },
          {
            "_id": null,
            "model": "websphere application server",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "7.0.2"
          },
          {
            "_id": null,
            "model": "communication server 1000m signaling server",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "6.0"
          },
          {
            "_id": null,
            "model": "mac os",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "x10.3.3"
          },
          {
            "_id": null,
            "model": "lotus domino",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "8.5"
          },
          {
            "_id": null,
            "model": "websphere application server",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "7.0.0.6"
          },
          {
            "_id": null,
            "model": "hat enterprise linux hpc node optional",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "red",
            "version": "6"
          },
          {
            "_id": null,
            "model": "communication server 1000e",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "6.0"
          },
          {
            "_id": null,
            "model": "tivoli netcool performance manager",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "1.3.1"
          },
          {
            "_id": null,
            "model": "network automation",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "hp",
            "version": "9.0"
          },
          {
            "_id": null,
            "model": "project openssl 1.0.0c",
            "scope": null,
            "trust": 0.3,
            "vendor": "openssl",
            "version": null
          },
          {
            "_id": null,
            "model": "forticlient",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "fortinet",
            "version": "2.0"
          },
          {
            "_id": null,
            "model": "version control repository manager",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "hp",
            "version": "2.1.5.760"
          },
          {
            "_id": null,
            "model": "web interface",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "citrix",
            "version": "4.6"
          },
          {
            "_id": null,
            "model": "aura session manager",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "6.1.1"
          },
          {
            "_id": null,
            "model": "fortigate",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "fortinet",
            "version": "4.3.5"
          },
          {
            "_id": null,
            "model": "rational software architect",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "8"
          },
          {
            "_id": null,
            "model": "mac os",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "x10.6.3"
          },
          {
            "_id": null,
            "model": "http server",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "7.0.4.27"
          },
          {
            "_id": null,
            "model": "phaser",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "xerox",
            "version": "67000"
          },
          {
            "_id": null,
            "model": "ios",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "cisco",
            "version": "0"
          },
          {
            "_id": null,
            "model": "telepresence video communication server",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "cisco",
            "version": "0"
          },
          {
            "_id": null,
            "model": "rational clearquest",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "8.0"
          },
          {
            "_id": null,
            "model": "enterprise linux",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "oracle",
            "version": "6"
          },
          {
            "_id": null,
            "model": "rational team concert",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "2.0"
          },
          {
            "_id": null,
            "model": "websphere mq",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "7.0.1.2"
          },
          {
            "_id": null,
            "model": "ios",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "5"
          },
          {
            "_id": null,
            "model": "mac os",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "x10.4.10"
          },
          {
            "_id": null,
            "model": "project openssl 1.0.0f",
            "scope": null,
            "trust": 0.3,
            "vendor": "openssl",
            "version": null
          },
          {
            "_id": null,
            "model": "windows for 32-bit systems sp1",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "microsoft",
            "version": "7"
          },
          {
            "_id": null,
            "model": "windows server for itanium-based systems sp2",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "microsoft",
            "version": "2008"
          },
          {
            "_id": null,
            "model": "project openssl d",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "openssl",
            "version": "0.9.8"
          },
          {
            "_id": null,
            "model": "windows for x64-based systems sp1",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "microsoft",
            "version": "7"
          },
          {
            "_id": null,
            "model": "aura system platform",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "1.1"
          },
          {
            "_id": null,
            "model": "tivoli management framework",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "4.1.1"
          },
          {
            "_id": null,
            "model": "web interface",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "citrix",
            "version": "5.0.1"
          },
          {
            "_id": null,
            "model": "windows server sp2",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "microsoft",
            "version": "2003"
          },
          {
            "_id": null,
            "model": "tivoli provisioning manager for os deployment",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "5.1.0.2"
          },
          {
            "_id": null,
            "model": "version control repository manager",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "hp",
            "version": "2.1.1.730"
          },
          {
            "_id": null,
            "model": "ios",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "5.1"
          },
          {
            "_id": null,
            "model": "tivoli provisioning manager",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "5.1.0.2"
          },
          {
            "_id": null,
            "model": "project openssl 1.0.0j",
            "scope": null,
            "trust": 0.3,
            "vendor": "openssl",
            "version": null
          },
          {
            "_id": null,
            "model": "project openssl 1.0.0b",
            "scope": null,
            "trust": 0.3,
            "vendor": "openssl",
            "version": null
          },
          {
            "_id": null,
            "model": "http server",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "7.0.0.21"
          },
          {
            "_id": null,
            "model": "aura presence services",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "6.0"
          },
          {
            "_id": null,
            "model": "sitescope",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "hp",
            "version": "11.10"
          },
          {
            "_id": null,
            "model": "rational clearquest",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "7.1.2.6"
          },
          {
            "_id": null,
            "model": "windows server for 32-bit systems sp2",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "microsoft",
            "version": "2008"
          },
          {
            "_id": null,
            "model": "system management homepage",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "hp",
            "version": "6.0"
          },
          {
            "_id": null,
            "model": "tivoli business service manager",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "4.2.1"
          },
          {
            "_id": null,
            "model": "websphere application server",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "7.0.11"
          },
          {
            "_id": null,
            "model": "operations agent",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "hp",
            "version": "11.01"
          },
          {
            "_id": null,
            "model": "rational clearquest",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "7.1.2.2"
          },
          {
            "_id": null,
            "model": "aura system manager sp1",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "6.0"
          },
          {
            "_id": null,
            "model": "network node manager i",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "hp",
            "version": "9.03"
          },
          {
            "_id": null,
            "model": "project openssl",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "openssl",
            "version": "1.0.1"
          },
          {
            "_id": null,
            "model": "aura system manager sp1",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "6.1"
          },
          {
            "_id": null,
            "model": "hp-ux b.11.31",
            "scope": null,
            "trust": 0.3,
            "vendor": "hp",
            "version": null
          },
          {
            "_id": null,
            "model": "aura system platform",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "6.0.2"
          },
          {
            "_id": null,
            "model": "mac os",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "x10.3.7"
          },
          {
            "_id": null,
            "model": "http server",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "6.1.19"
          },
          {
            "_id": null,
            "model": "linux s/390",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "debian",
            "version": "6.0"
          },
          {
            "_id": null,
            "model": "communication server 1000m signaling server",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "7.0"
          },
          {
            "_id": null,
            "model": "aura experience portal",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "6.0"
          },
          {
            "_id": null,
            "model": "project openssl beta3",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "openssl",
            "version": "1.0"
          },
          {
            "_id": null,
            "model": "ipad",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "0"
          },
          {
            "_id": null,
            "model": "communication server 1000e",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "7.0"
          },
          {
            "_id": null,
            "model": "mac os",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "x10.3.5"
          },
          {
            "_id": null,
            "model": "hat enterprise linux hpc node supplementary",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "red",
            "version": "6"
          },
          {
            "_id": null,
            "model": "system management homepage",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "hp",
            "version": "6.3"
          },
          {
            "_id": null,
            "model": "web interface",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "citrix",
            "version": "5.0"
          },
          {
            "_id": null,
            "model": "mac os",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "x10.7.3"
          },
          {
            "_id": null,
            "model": "websphere mq",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "7.0.1.5"
          },
          {
            "_id": null,
            "model": "aura session manager sp1",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "6.0"
          },
          {
            "_id": null,
            "model": "ios",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "4.3.4"
          },
          {
            "_id": null,
            "model": "hat enterprise linux desktop",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "red",
            "version": "6"
          },
          {
            "_id": null,
            "model": "tivoli provisioning manager",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "5.1.1"
          },
          {
            "_id": null,
            "model": "hp-ux",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "hp",
            "version": "11.31"
          },
          {
            "_id": null,
            "model": "rational clearquest",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "7.1.2.1"
          },
          {
            "_id": null,
            "model": "mac os",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "x10.4.11"
          },
          {
            "_id": null,
            "model": "mac os",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "x10.7.1"
          },
          {
            "_id": null,
            "model": "system management homepage",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "hp",
            "version": "6.2"
          },
          {
            "_id": null,
            "model": "web interface",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "citrix",
            "version": "2.0"
          },
          {
            "_id": null,
            "model": "aura session manager sp2",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "6.1"
          },
          {
            "_id": null,
            "model": "lotus domino",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "8.0.1"
          },
          {
            "_id": null,
            "model": "ios",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "4.2.8"
          },
          {
            "_id": null,
            "model": "websphere application server",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "7.03"
          },
          {
            "_id": null,
            "model": "performance manager",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "hp",
            "version": "9.00"
          },
          {
            "_id": null,
            "model": "mac os",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "x10.0.4"
          },
          {
            "_id": null,
            "model": "linux arm",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "debian",
            "version": "6.0"
          },
          {
            "_id": null,
            "model": "aura presence services",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "6.1.1"
          },
          {
            "_id": null,
            "model": "rational clearcase",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "7.1.0.1"
          },
          {
            "_id": null,
            "model": "centos",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "centos",
            "version": "5"
          },
          {
            "_id": null,
            "model": "proactive contact",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "5.0"
          },
          {
            "_id": null,
            "model": "network analysis module",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "cisco",
            "version": "0"
          },
          {
            "_id": null,
            "model": "ip office application server",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "8.1"
          },
          {
            "_id": null,
            "model": "web experience factory",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "7.0.1"
          },
          {
            "_id": null,
            "model": "aura application enablement services",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "5.2"
          },
          {
            "_id": null,
            "model": "http server",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "6.1.17"
          },
          {
            "_id": null,
            "model": "network node manager i",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "hp",
            "version": "9.02"
          },
          {
            "_id": null,
            "model": "rational software architect",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "7.0"
          },
          {
            "_id": null,
            "model": "http server",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "7.0.0.19"
          },
          {
            "_id": null,
            "model": "aura system manager",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "6.1.2"
          },
          {
            "_id": null,
            "model": "system management homepage",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "hp",
            "version": "7.0"
          },
          {
            "_id": null,
            "model": "aura application enablement services",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "6.1.1"
          },
          {
            "_id": null,
            "model": "hat enterprise linux workstation optional",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "red",
            "version": "6"
          },
          {
            "_id": null,
            "model": "aura system manager",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "6.0"
          },
          {
            "_id": null,
            "model": "mac os",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "x10.6.4"
          },
          {
            "_id": null,
            "model": "network node manager i",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "hp",
            "version": "9.00"
          },
          {
            "_id": null,
            "model": "cics transaction gateway",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "7.2"
          },
          {
            "_id": null,
            "model": "mac os",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "x10.4.9"
          },
          {
            "_id": null,
            "model": "tivoli provisioning manager for os deployment",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "5.1.3"
          },
          {
            "_id": null,
            "model": "rational clearquest",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "8.0.0.2"
          },
          {
            "_id": null,
            "model": "mac os",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "x10.2.8"
          },
          {
            "_id": null,
            "model": "web interface",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "citrix",
            "version": "5.4"
          },
          {
            "_id": null,
            "model": "lotus domino",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "8.0"
          },
          {
            "_id": null,
            "model": "http server",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "6.2"
          },
          {
            "_id": null,
            "model": "mac os",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "x10.2.2"
          },
          {
            "_id": null,
            "model": "mac os",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "x10.5.8"
          },
          {
            "_id": null,
            "model": "ipod touch",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "0"
          },
          {
            "_id": null,
            "model": "ios",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "4.3.3"
          },
          {
            "_id": null,
            "model": "communication server 1000e signaling server",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "6.0"
          },
          {
            "_id": null,
            "model": "hp-ux",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "hp",
            "version": "11.11"
          },
          {
            "_id": null,
            "model": "aura messaging",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "6.1"
          },
          {
            "_id": null,
            "model": "websphere application server",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "7.0.0.4"
          },
          {
            "_id": null,
            "model": "project openssl 0.9.8o",
            "scope": null,
            "trust": 0.3,
            "vendor": "openssl",
            "version": null
          },
          {
            "_id": null,
            "model": "mac os",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "x10.4.7"
          },
          {
            "_id": null,
            "model": "project openssl e",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "openssl",
            "version": "0.9.8"
          },
          {
            "_id": null,
            "model": "aura system platform sp3",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "6.0"
          },
          {
            "_id": null,
            "model": "aura session manager",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "6.1"
          },
          {
            "_id": null,
            "model": "aura application enablement services",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "5.2.2"
          },
          {
            "_id": null,
            "model": "hat enterprise linux server",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "red",
            "version": "5"
          },
          {
            "_id": null,
            "model": "linux",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "slackware",
            "version": "13.0"
          },
          {
            "_id": null,
            "model": "aura system manager",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "6.2"
          },
          {
            "_id": null,
            "model": "http server",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "8.0.0.1"
          },
          {
            "_id": null,
            "model": "centos",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "centos",
            "version": "6"
          },
          {
            "_id": null,
            "model": "http server",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "7.0"
          },
          {
            "_id": null,
            "model": "runtimes for java technology",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "6.0"
          },
          {
            "_id": null,
            "model": "aura application enablement services",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "5.2.1"
          },
          {
            "_id": null,
            "model": "aura communication manager utility services",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "6.0"
          },
          {
            "_id": null,
            "model": "ios",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "4.2.9"
          },
          {
            "_id": null,
            "model": "ios",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "2.0"
          },
          {
            "_id": null,
            "model": "tivoli provisioning manager",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "5.1.1.1"
          },
          {
            "_id": null,
            "model": "hat enterprise linux workstation",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "red",
            "version": "6"
          },
          {
            "_id": null,
            "model": "linux",
            "scope": null,
            "trust": 0.3,
            "vendor": "gentoo",
            "version": null
          },
          {
            "_id": null,
            "model": "tivoli common reporting",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "2.1"
          },
          {
            "_id": null,
            "model": "project openssl 0.9.8s",
            "scope": null,
            "trust": 0.3,
            "vendor": "openssl",
            "version": null
          },
          {
            "_id": null,
            "model": "aura communication manager",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "6.0.1"
          },
          {
            "_id": null,
            "model": "version control repository manager",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "hp",
            "version": "6.1.0.841"
          },
          {
            "_id": null,
            "model": "enterprise linux desktop workstation client",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "redhat",
            "version": "5"
          },
          {
            "_id": null,
            "model": "aura session manager",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "5.2"
          },
          {
            "_id": null,
            "model": "rational clearquest",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "7.1.2"
          },
          {
            "_id": null,
            "model": "aura system platform",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "6.0.1"
          },
          {
            "_id": null,
            "model": "mac os",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "x10.3.6"
          },
          {
            "_id": null,
            "model": "communication server 1000e signaling server",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "7.5"
          },
          {
            "_id": null,
            "model": "mac os",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "x10.6.2"
          },
          {
            "_id": null,
            "model": "iphone",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "0"
          },
          {
            "_id": null,
            "model": "mac os",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "x10.5.1"
          },
          {
            "_id": null,
            "model": "mac os",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "x10.2.7"
          },
          {
            "_id": null,
            "model": "linux ia-32",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "debian",
            "version": "6.0"
          },
          {
            "_id": null,
            "model": "linux",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "slackware",
            "version": "13.37"
          },
          {
            "_id": null,
            "model": "web interface",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "citrix",
            "version": "5.3"
          },
          {
            "_id": null,
            "model": "rational clearcase",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "7.1.1.4"
          },
          {
            "_id": null,
            "model": "rational clearcase",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "7.1.1.5"
          },
          {
            "_id": null,
            "model": "iq",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "5"
          },
          {
            "_id": null,
            "model": "emergency responder",
            "scope": null,
            "trust": 0.3,
            "vendor": "cisco",
            "version": null
          },
          {
            "_id": null,
            "model": "websphere application server",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "7.021"
          },
          {
            "_id": null,
            "model": "mac os",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "x10.6.1"
          },
          {
            "_id": null,
            "model": "mds",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "cisco",
            "version": "9000"
          },
          {
            "_id": null,
            "model": "communication server 1000m",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "7.5"
          },
          {
            "_id": null,
            "model": "rational clearcase",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "7.1.2.2"
          },
          {
            "_id": null,
            "model": "communication server 1000e signaling server",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "7.0"
          },
          {
            "_id": null,
            "model": "version control repository manager",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "hp",
            "version": "2.1.7.770"
          },
          {
            "_id": null,
            "model": "aura communication manager utility services",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "6.2"
          },
          {
            "_id": null,
            "model": "linux powerpc",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "debian",
            "version": "6.0"
          },
          {
            "_id": null,
            "model": "websphere application server",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "ibm",
            "version": "8.0.0.0"
          },
          {
            "_id": null,
            "model": "iq",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "5.1"
          },
          {
            "_id": null,
            "model": "hat enterprise linux server",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "red",
            "version": "6"
          },
          {
            "_id": null,
            "model": "nexus",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "cisco",
            "version": "30000"
          },
          {
            "_id": null,
            "model": "tv",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "4.0"
          },
          {
            "_id": null,
            "model": "communication server 1000m signaling server",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "7.5"
          },
          {
            "_id": null,
            "model": "asset manager",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "hp",
            "version": "5.0"
          },
          {
            "_id": null,
            "model": "version control repository manager",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "hp",
            "version": "2.1.4.750"
          },
          {
            "_id": null,
            "model": "aura application server sip core",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "53002.1"
          },
          {
            "_id": null,
            "model": "tv",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "2.1"
          },
          {
            "_id": null,
            "model": "communication server 1000e",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "7.5"
          },
          {
            "_id": null,
            "model": "ios",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "3.2.2"
          },
          {
            "_id": null,
            "model": "mac os",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "apple",
            "version": "x10.4.2"
          },
          {
            "_id": null,
            "model": "project openssl 1.0.0a",
            "scope": null,
            "trust": 0.3,
            "vendor": "openssl",
            "version": null
          },
          {
            "_id": null,
            "model": "communication server 1000m",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "avaya",
            "version": "7.0"
          },
          {
            "_id": null,
            "model": "version control repository manager",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "hp",
            "version": "2.1.9.790"
          }
        ],
        "sources": [
          {
            "db": "BID",
            "id": "70574"
          },
          {
            "db": "NVD",
            "id": "CVE-2014-3566"
          }
        ]
      },
      "credits": {
        "_id": null,
        "data": "HP",
        "sources": [
          {
            "db": "PACKETSTORM",
            "id": "137294"
          },
          {
            "db": "PACKETSTORM",
            "id": "129266"
          },
          {
            "db": "PACKETSTORM",
            "id": "130334"
          },
          {
            "db": "PACKETSTORM",
            "id": "128921"
          },
          {
            "db": "PACKETSTORM",
            "id": "136577"
          },
          {
            "db": "PACKETSTORM",
            "id": "129071"
          },
          {
            "db": "PACKETSTORM",
            "id": "129065"
          }
        ],
        "trust": 0.7
      },
      "cve": "CVE-2014-3566",
      "cvss": {
        "_id": null,
        "data": [
          {
            "cvssV2": [
              {
                "accessComplexity": "MEDIUM",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "nvd@nist.gov",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "confidentialityImpact": "PARTIAL",
                "exploitabilityScore": 8.6,
                "id": "CVE-2014-3566",
                "impactScore": 2.9,
                "integrityImpact": "NONE",
                "severity": "MEDIUM",
                "trust": 1.1,
                "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
                "version": "2.0"
              },
              {
                "accessComplexity": "MEDIUM",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "VULHUB",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "confidentialityImpact": "PARTIAL",
                "exploitabilityScore": 8.6,
                "id": "VHN-71506",
                "impactScore": 2.9,
                "integrityImpact": "NONE",
                "severity": "MEDIUM",
                "trust": 0.1,
                "vectorString": "AV:N/AC:M/AU:N/C:P/I:N/A:N",
                "version": "2.0"
              }
            ],
            "cvssV3": [
              {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "author": "nvd@nist.gov",
                "availabilityImpact": "NONE",
                "baseScore": 3.4,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "exploitabilityScore": 1.6,
                "id": "CVE-2014-3566",
                "impactScore": 1.4,
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "trust": 1.0,
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N",
                "version": "3.1"
              }
            ],
            "severity": [
              {
                "author": "nvd@nist.gov",
                "id": "CVE-2014-3566",
                "trust": 1.0,
                "value": "LOW"
              },
              {
                "author": "VULHUB",
                "id": "VHN-71506",
                "trust": 0.1,
                "value": "MEDIUM"
              },
              {
                "author": "VULMON",
                "id": "CVE-2014-3566",
                "trust": 0.1,
                "value": "MEDIUM"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-71506"
          },
          {
            "db": "VULMON",
            "id": "CVE-2014-3566"
          },
          {
            "db": "NVD",
            "id": "CVE-2014-3566"
          }
        ]
      },
      "description": {
        "_id": null,
        "data": "The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the \"POODLE\" issue. OpenSSL is prone to an information disclosure vulnerability. \nAn attacker can exploit this issue to perform man-in-the-middle attacks and obtain sensitive information. Successful exploits will lead to other attacks. \nThe following versions are vulnerable:\nOpenSSL 0.9.8 prior to 0.9.8zc\nOpenSSL 1.0.0 prior to 1.0.0o\nOpenSSL 1.0.1 prior to 1.0.1j. SSL protocol is the abbreviation of Secure Socket Layer protocol (Secure Socket Layer) developed by Netscape, which provides security and data integrity guarantee for Internet communication. The vulnerability is caused by the program\u0027s use of non-deterministic CBC padding. OpenSSL Security Advisory [15 Oct 2014]\n=======================================\n\nSRTP Memory Leak (CVE-2014-3513)\n================================\n\nSeverity: High\n\nA flaw in the DTLS SRTP extension parsing code allows an attacker, who\nsends a carefully crafted handshake message, to cause OpenSSL to fail\nto free up to 64k of memory causing a memory leak. This could be\nexploited in a Denial Of Service attack. This issue affects OpenSSL\n1.0.1 server implementations for both SSL/TLS and DTLS regardless of\nwhether SRTP is used or configured. Implementations of OpenSSL that\nhave been compiled with OPENSSL_NO_SRTP defined are not affected. \n\nThis issue was reported to OpenSSL on 26th September 2014, based on an original\nissue and patch developed by the LibreSSL project. Further analysis of the issue\nwas performed by the OpenSSL team. \n\nThe fix was developed by the OpenSSL team. \n\n\nSession Ticket Memory Leak (CVE-2014-3567)\n==========================================\n\nSeverity: Medium\n\nWhen an OpenSSL SSL/TLS/DTLS server receives a session ticket the\nintegrity of that ticket is first verified. In the event of a session\nticket integrity check failing, OpenSSL will fail to free memory\ncausing a memory leak. By sending a large number of invalid session\ntickets an attacker could exploit this issue in a Denial Of Service\nattack. \n\nThis issue was reported to OpenSSL on 8th October 2014. \n\nThe fix was developed by Stephen Henson of the OpenSSL core team. \n\n\nSSL 3.0 Fallback protection\n===========================\n\nSeverity: Medium\n\nOpenSSL has added support for TLS_FALLBACK_SCSV to allow applications\nto block the ability for a MITM attacker to force a protocol\ndowngrade. \n\nSome client applications (such as browsers) will reconnect using a\ndowngraded protocol to work around interoperability bugs in older\nservers. This could be exploited by an active man-in-the-middle to\ndowngrade connections to SSL 3.0 even if both sides of the connection\nsupport higher protocols. SSL 3.0 contains a number of weaknesses\nincluding POODLE (CVE-2014-3566). \n\nhttps://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00\nhttps://www.openssl.org/~bodo/ssl-poodle.pdf\n\nSupport for TLS_FALLBACK_SCSV was developed by Adam Langley and Bodo Moeller. \n\n\nBuild option no-ssl3 is incomplete (CVE-2014-3568)\n==================================================\n\nSeverity: Low\n\nWhen OpenSSL is configured with \"no-ssl3\" as a build option, servers\ncould accept and complete a SSL 3.0 handshake, and clients could be\nconfigured to send them. \n\nThis issue was reported to OpenSSL by Akamai Technologies on 14th October 2014. \n\nThe fix was developed by Akamai and the OpenSSL team. \n\n\nReferences\n==========\n\nURL for this Security Advisory:\nhttps://www.openssl.org/news/secadv_20141015.txt\n\nNote: the online version of the advisory may be updated with additional\ndetails over time. \n\nFor details of OpenSSL severity classifications please see:\nhttps://www.openssl.org/about/secpolicy.html\n\n. \nThe following firmware versions of Virtual Connect (VC) are impacted:\n\nHPE BladeSystem c-Class Virtual Connect (VC) Firmware 4.30 through VC 4.45\nHPE BladeSystem c-Class Virtual Connect (VC) Firmware 3.62 through VC 4.21\n\nNote: Firmware versions 3.62 through 4.21 are not impacted by CVE-2016-0800,\nCVE-2015-3194, CVE-2014-3566, CVE-2015-0705, CVE-2016-0799, and\nCVE-2016-2842. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nGentoo Linux Security Advisory                           GLSA 201507-14\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n                                           https://security.gentoo.org/\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n Severity: Normal\n    Title: Oracle JRE/JDK: Multiple vulnerabilities\n     Date: July 10, 2015\n     Bugs: #537214\n       ID: 201507-14\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\nSynopsis\n========\n\nMultiple vulnerabilities have been found in Oracle JRE/JDK, allowing\nboth local and remote attackers to compromise various Java components. Please\nreview the CVE identifiers referenced below for details. \n\nImpact\n======\n\nAn context-dependent attacker may be able to influence the\nconfidentiality, integrity, and availability of Java\napplications/runtime. \n\nWorkaround\n==========\n\nThere is no workaround at this time. \n\nResolution\n==========\n\nAll Oracle JRE 8 users should upgrade to the latest stable version:\n\u003ccode\u003e\n# emerge --sync\n# emerge --ask --oneshot --verbose \"\u003e=dev-java/oracle-jre-bin-1.8.0.31\n\nAll Oracle JDK 8 users should upgrade to the latest stable version:\n\u003ccode\u003e\n# emerge --sync\n# emerge --ask --oneshot --verbose \"\u003e=dev-java/oracle-jdk-bin-1.8.0.31\n\nAll Oracle JRE 7 users should upgrade to the latest version:\n\u003ccode\u003e\n# emerge --sync\n# emerge --ask --oneshot --verbose \"\u003e=dev-java/oracle-jre-bin-1.7.0.76\n\nAll Oracle JDK 7 users should upgrade to the latest stable version:\n\u003ccode\u003e\n# emerge --sync\n# emerge --ask --oneshot --verbose \"\u003e=dev-java/oracle-jdk-bin-1.7.0.76\n\nReferences\n==========\n\n[  1 ] CVE-2014-3566\n       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3566\n[  2 ] CVE-2014-6549\n       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6549\n[  3 ] CVE-2014-6585\n       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6585\n[  4 ] CVE-2014-6587\n       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6587\n[  5 ] CVE-2014-6591\n       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6591\n[  6 ] CVE-2014-6593\n       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6593\n[  7 ] CVE-2014-6601\n       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6601\n[  8 ] CVE-2015-0383\n       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0383\n[  9 ] CVE-2015-0395\n       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0395\n[ 10 ] CVE-2015-0400\n       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0400\n[ 11 ] CVE-2015-0403\n       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0403\n[ 12 ] CVE-2015-0406\n       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0406\n[ 13 ] CVE-2015-0407\n       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0407\n[ 14 ] CVE-2015-0408\n       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0408\n[ 15 ] CVE-2015-0410\n       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0410\n[ 16 ] CVE-2015-0412\n       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0412\n[ 17 ] CVE-2015-0413\n       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0413\n[ 18 ] CVE-2015-0421\n       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0421\n\nAvailability\n============\n\nThis GLSA and any updates to it are available for viewing at\nthe Gentoo Security Website:\n\n https://security.gentoo.org/glsa/201507-14\n\nConcerns?\n=========\n\nSecurity is a primary focus of Gentoo Linux and ensuring the\nconfidentiality and security of our users\u0027 machines is of utmost\nimportance to us. Any security concerns should be addressed to\nsecurity@gentoo.org or alternatively, you may file a bug at\nhttps://bugs.gentoo.org. \n\nLicense\n=======\n\nCopyright 2015 Gentoo Foundation, Inc; referenced text\nbelongs to its owner(s). \n\nThe contents of this document are licensed under the\nCreative Commons - Attribution / Share Alike license. \n\nhttp://creativecommons.org/licenses/by-sa/2.5\n. \n\n  HP CMS: UCMDB Browser all supported versions. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\n=====================================================================\n                   Red Hat Security Advisory\n\nSynopsis:          Critical: java-1.7.0-ibm security update\nAdvisory ID:       RHSA-2014:1876-01\nProduct:           Red Hat Enterprise Linux Supplementary\nAdvisory URL:      https://rhn.redhat.com/errata/RHSA-2014-1876.html\nIssue date:        2014-11-19\nCVE Names:         CVE-2014-3065 CVE-2014-3566 CVE-2014-4288 \n                   CVE-2014-6456 CVE-2014-6457 CVE-2014-6458 \n                   CVE-2014-6476 CVE-2014-6492 CVE-2014-6493 \n                   CVE-2014-6502 CVE-2014-6503 CVE-2014-6506 \n                   CVE-2014-6511 CVE-2014-6512 CVE-2014-6515 \n                   CVE-2014-6527 CVE-2014-6531 CVE-2014-6532 \n                   CVE-2014-6558 \n=====================================================================\n\n1. Summary:\n\nUpdated java-1.7.0-ibm packages that fix several security issues are now\navailable for Red Hat Enterprise Linux 5 Supplementary. \n\nRed Hat Product Security has rated this update as having Critical security\nimpact. Common Vulnerability Scoring System (CVSS) base scores, which give\ndetailed severity ratings, are available for each vulnerability from the\nCVE links in the References section. \n\n2. Relevant releases/architectures:\n\nRed Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64\nRed Hat Enterprise Linux Server Supplementary (v. 5) - i386, ppc, s390x, x86_64\n\n3. Description:\n\nIBM Java SE version 7 includes the IBM Java Runtime Environment and the IBM\nJava Software Development Kit. \n\nThis update fixes several vulnerabilities in the IBM Java Runtime\nEnvironment and the IBM Java Software Development Kit. Detailed\nvulnerability descriptions are linked from the IBM Security alerts\npage, listed in the References section. (CVE-2014-3065, CVE-2014-3566,\nCVE-2014-4288, CVE-2014-6456, CVE-2014-6457, CVE-2014-6458, CVE-2014-6476,\nCVE-2014-6492, CVE-2014-6493, CVE-2014-6502, CVE-2014-6503, CVE-2014-6506,\nCVE-2014-6511, CVE-2014-6512, CVE-2014-6515, CVE-2014-6527, CVE-2014-6531,\nCVE-2014-6532, CVE-2014-6558)\n\nThe CVE-2014-6512 issue was discovered by Florian Weimer of Red Hat\nProduct Security. \n\nNote: With this update, the IBM SDK now disables the SSL 3.0 protocol to\naddress the CVE-2014-3566 issue (also known as POODLE). Refer to the IBM\narticle linked to in the References section for additional details about\nthis change and instructions on how to re-enable SSL 3.0 support if needed. \n\nAll users of java-1.7.0-ibm are advised to upgrade to these updated\npackages, containing the IBM Java SE 7 SR8 release. All running instances\nof IBM Java must be restarted for the update to take effect. \n\n4. Solution:\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied. \n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258\n\n5. Bugs fixed (https://bugzilla.redhat.com/):\n\n1071210 - CVE-2014-6512 OpenJDK: DatagramSocket connected socket missing source check (Libraries, 8039509)\n1150155 - CVE-2014-6506 OpenJDK: insufficient permission checks when setting resource bundle on system logger (Libraries, 8041564)\n1150651 - CVE-2014-6531 OpenJDK: insufficient ResourceBundle name check (Libraries, 8044274)\n1150669 - CVE-2014-6502 OpenJDK: LogRecord use of incorrect CL when loading ResourceBundle (Libraries, 8042797)\n1151046 - CVE-2014-6457 OpenJDK: Triple Handshake attack against TLS/SSL connections (JSSE, 8037066)\n1151063 - CVE-2014-6558 OpenJDK: CipherInputStream incorrect exception handling (Security, 8037846)\n1151517 - CVE-2014-6511 ICU: Layout Engine ContextualSubstitution missing boundary checks (JDK 2D, 8041540)\n1152756 - CVE-2014-6532 Oracle JDK: unspecified vulnerability fixed in 6u85, 7u71 and 8u25 (Deployment)\n1152757 - CVE-2014-6503 Oracle JDK: unspecified vulnerability fixed in 6u85, 7u71 and 8u25 (Deployment)\n1152758 - CVE-2014-6456 Oracle JDK: unspecified vulnerability fixed in 7u71 and 8u25 (Deployment)\n1152759 - CVE-2014-6492 Oracle JDK: unspecified vulnerability fixed in 6u85, 7u71 and 8u25 (Deployment)\n1152760 - CVE-2014-6493 Oracle JDK: unspecified vulnerability fixed in 6u85, 7u71 and 8u25 (Deployment)\n1152761 - CVE-2014-4288 Oracle JDK: unspecified vulnerability fixed in 6u85, 7u71 and 8u25 (Deployment)\n1152763 - CVE-2014-6458 Oracle JDK: unspecified vulnerability fixed in 6u85, 7u71 and 8u25 (Deployment)\n1152765 - CVE-2014-6476 Oracle JDK: unspecified vulnerability fixed in 7u71 and 8u25 (Deployment)\n1152766 - CVE-2014-6515 Oracle JDK: unspecified vulnerability fixed in 6u85, 7u71 and 8u25 (Deployment)\n1152767 - CVE-2014-6527 Oracle JDK: unspecified vulnerability fixed in 7u71 and 8u25 (Deployment)\n1152789 - CVE-2014-3566 SSL/TLS: Padding Oracle On Downgraded Legacy Encryption attack\n1162554 - CVE-2014-3065 IBM JDK: privilege escalation via shared class cache\n\n6. Package List:\n\nRed Hat Enterprise Linux Desktop Supplementary (v. 5):\n\ni386:\njava-1.7.0-ibm-1.7.0.8.0-1jpp.1.el5.i386.rpm\njava-1.7.0-ibm-demo-1.7.0.8.0-1jpp.1.el5.i386.rpm\njava-1.7.0-ibm-devel-1.7.0.8.0-1jpp.1.el5.i386.rpm\njava-1.7.0-ibm-jdbc-1.7.0.8.0-1jpp.1.el5.i386.rpm\njava-1.7.0-ibm-plugin-1.7.0.8.0-1jpp.1.el5.i386.rpm\njava-1.7.0-ibm-src-1.7.0.8.0-1jpp.1.el5.i386.rpm\n\nx86_64:\njava-1.7.0-ibm-1.7.0.8.0-1jpp.1.el5.i386.rpm\njava-1.7.0-ibm-1.7.0.8.0-1jpp.1.el5.x86_64.rpm\njava-1.7.0-ibm-demo-1.7.0.8.0-1jpp.1.el5.i386.rpm\njava-1.7.0-ibm-demo-1.7.0.8.0-1jpp.1.el5.x86_64.rpm\njava-1.7.0-ibm-devel-1.7.0.8.0-1jpp.1.el5.i386.rpm\njava-1.7.0-ibm-devel-1.7.0.8.0-1jpp.1.el5.x86_64.rpm\njava-1.7.0-ibm-jdbc-1.7.0.8.0-1jpp.1.el5.i386.rpm\njava-1.7.0-ibm-jdbc-1.7.0.8.0-1jpp.1.el5.x86_64.rpm\njava-1.7.0-ibm-plugin-1.7.0.8.0-1jpp.1.el5.i386.rpm\njava-1.7.0-ibm-plugin-1.7.0.8.0-1jpp.1.el5.x86_64.rpm\njava-1.7.0-ibm-src-1.7.0.8.0-1jpp.1.el5.i386.rpm\njava-1.7.0-ibm-src-1.7.0.8.0-1jpp.1.el5.x86_64.rpm\n\nRed Hat Enterprise Linux Server Supplementary (v. 5):\n\ni386:\njava-1.7.0-ibm-1.7.0.8.0-1jpp.1.el5.i386.rpm\njava-1.7.0-ibm-demo-1.7.0.8.0-1jpp.1.el5.i386.rpm\njava-1.7.0-ibm-devel-1.7.0.8.0-1jpp.1.el5.i386.rpm\njava-1.7.0-ibm-jdbc-1.7.0.8.0-1jpp.1.el5.i386.rpm\njava-1.7.0-ibm-plugin-1.7.0.8.0-1jpp.1.el5.i386.rpm\njava-1.7.0-ibm-src-1.7.0.8.0-1jpp.1.el5.i386.rpm\n\nppc:\njava-1.7.0-ibm-1.7.0.8.0-1jpp.1.el5.ppc.rpm\njava-1.7.0-ibm-1.7.0.8.0-1jpp.1.el5.ppc64.rpm\njava-1.7.0-ibm-demo-1.7.0.8.0-1jpp.1.el5.ppc.rpm\njava-1.7.0-ibm-demo-1.7.0.8.0-1jpp.1.el5.ppc64.rpm\njava-1.7.0-ibm-devel-1.7.0.8.0-1jpp.1.el5.ppc.rpm\njava-1.7.0-ibm-devel-1.7.0.8.0-1jpp.1.el5.ppc64.rpm\njava-1.7.0-ibm-jdbc-1.7.0.8.0-1jpp.1.el5.ppc.rpm\njava-1.7.0-ibm-jdbc-1.7.0.8.0-1jpp.1.el5.ppc64.rpm\njava-1.7.0-ibm-plugin-1.7.0.8.0-1jpp.1.el5.ppc.rpm\njava-1.7.0-ibm-src-1.7.0.8.0-1jpp.1.el5.ppc.rpm\njava-1.7.0-ibm-src-1.7.0.8.0-1jpp.1.el5.ppc64.rpm\n\ns390x:\njava-1.7.0-ibm-1.7.0.8.0-1jpp.1.el5.s390.rpm\njava-1.7.0-ibm-1.7.0.8.0-1jpp.1.el5.s390x.rpm\njava-1.7.0-ibm-demo-1.7.0.8.0-1jpp.1.el5.s390.rpm\njava-1.7.0-ibm-demo-1.7.0.8.0-1jpp.1.el5.s390x.rpm\njava-1.7.0-ibm-devel-1.7.0.8.0-1jpp.1.el5.s390.rpm\njava-1.7.0-ibm-devel-1.7.0.8.0-1jpp.1.el5.s390x.rpm\njava-1.7.0-ibm-jdbc-1.7.0.8.0-1jpp.1.el5.s390.rpm\njava-1.7.0-ibm-jdbc-1.7.0.8.0-1jpp.1.el5.s390x.rpm\njava-1.7.0-ibm-src-1.7.0.8.0-1jpp.1.el5.s390.rpm\njava-1.7.0-ibm-src-1.7.0.8.0-1jpp.1.el5.s390x.rpm\n\nx86_64:\njava-1.7.0-ibm-1.7.0.8.0-1jpp.1.el5.i386.rpm\njava-1.7.0-ibm-1.7.0.8.0-1jpp.1.el5.x86_64.rpm\njava-1.7.0-ibm-demo-1.7.0.8.0-1jpp.1.el5.i386.rpm\njava-1.7.0-ibm-demo-1.7.0.8.0-1jpp.1.el5.x86_64.rpm\njava-1.7.0-ibm-devel-1.7.0.8.0-1jpp.1.el5.i386.rpm\njava-1.7.0-ibm-devel-1.7.0.8.0-1jpp.1.el5.x86_64.rpm\njava-1.7.0-ibm-jdbc-1.7.0.8.0-1jpp.1.el5.i386.rpm\njava-1.7.0-ibm-jdbc-1.7.0.8.0-1jpp.1.el5.x86_64.rpm\njava-1.7.0-ibm-plugin-1.7.0.8.0-1jpp.1.el5.i386.rpm\njava-1.7.0-ibm-plugin-1.7.0.8.0-1jpp.1.el5.x86_64.rpm\njava-1.7.0-ibm-src-1.7.0.8.0-1jpp.1.el5.i386.rpm\njava-1.7.0-ibm-src-1.7.0.8.0-1jpp.1.el5.x86_64.rpm\n\nThese packages are GPG signed by Red Hat for security.  Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n7. References:\n\nhttps://access.redhat.com/security/cve/CVE-2014-3065\nhttps://access.redhat.com/security/cve/CVE-2014-3566\nhttps://access.redhat.com/security/cve/CVE-2014-4288\nhttps://access.redhat.com/security/cve/CVE-2014-6456\nhttps://access.redhat.com/security/cve/CVE-2014-6457\nhttps://access.redhat.com/security/cve/CVE-2014-6458\nhttps://access.redhat.com/security/cve/CVE-2014-6476\nhttps://access.redhat.com/security/cve/CVE-2014-6492\nhttps://access.redhat.com/security/cve/CVE-2014-6493\nhttps://access.redhat.com/security/cve/CVE-2014-6502\nhttps://access.redhat.com/security/cve/CVE-2014-6503\nhttps://access.redhat.com/security/cve/CVE-2014-6506\nhttps://access.redhat.com/security/cve/CVE-2014-6511\nhttps://access.redhat.com/security/cve/CVE-2014-6512\nhttps://access.redhat.com/security/cve/CVE-2014-6515\nhttps://access.redhat.com/security/cve/CVE-2014-6527\nhttps://access.redhat.com/security/cve/CVE-2014-6531\nhttps://access.redhat.com/security/cve/CVE-2014-6532\nhttps://access.redhat.com/security/cve/CVE-2014-6558\nhttps://access.redhat.com/security/updates/classification/#critical\nhttps://www.ibm.com/developerworks/java/jdk/alerts/\nhttps://www-01.ibm.com/support/docview.wss?uid=swg21688165\n\n8. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2014 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niD8DBQFUbOWGXlSAg2UNWIIRAhPmAJ96YO5JFEg4GS1MkDIeXQkRxbN0hACgoUiY\nehbScogUJnSordhBH11LgWQ=\n=ko7F\n-----END PGP SIGNATURE-----\n\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://www.redhat.com/mailman/listinfo/rhsa-announce\n. \n\nftp://ssl098zc:Secure12@ftp.usa.hp.com\n\nUser name: ssl098zc Password: (NOTE: Case sensitive) Secure12\n\nHP-UX Release\n HP-UX OpenSSL version\n\nB.11.11 (11i v1)\n A.00.09.08zc.001_HP-UX_B.11.11_32+64.depot\n\nB.11.23 (11i v2)\n A.00.09.08zc.002_HP-UX_B.11.23_IA-PA.depot\n\nB.11.31 (11i v3)\n A.00.09.08zc.003_HP-UX_B.11.31_IA-PA.depot\n\nMANUAL ACTIONS: Yes - Update\n\nInstall OpenSSL A.00.09.08zc or subsequent\n\nPRODUCT SPECIFIC INFORMATION\n\nHP-UX Software Assistant: HP-UX Software Assistant is an enhanced application\nthat replaces HP-UX Security Patch Check. It analyzes all Security Bulletins\nissued by HP and lists recommended actions that may apply to a specific HP-UX\nsystem. It can also download patches and create a depot automatically. For\nmore information see: https://www.hp.com/go/swa\n\nThe following text is for use by the HP-UX Software Assistant. \n\nThe update is available from HPE Software Depot: https://h20392.www2.hpe.com/\nportal/swdepot/displayProductInfo.do?productNumber=HPVPRhttps://www.hpe.com\n\nNote: HPE recommends customers using OV4VC 7.8.1 and earlier should upgrade\nto OV4VC 7.8.2. This addresses all SSL security vulnerabilities reported\nthrough March 28, 2016. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\nNote: the current version of the following document is available here:\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/\ndocDisplay?docId=emr_na-c04496538\n\nSUPPORT COMMUNICATION - SECURITY BULLETIN\n\nDocument ID: c04496538\nVersion: 1\n\nHPSBGN03164 rev.1 - HP IceWall SSO Dfw, SSO Certd and MCRP running OpenSSL,\nRemote Disclosure of Information\n\nNOTICE: The information in this Security Bulletin should be acted upon as\nsoon as possible. \n\nRelease Date: 2014-11-10\nLast Updated: 2014-11-10\n\nPotential Security Impact: Remote disclosure of information\n\nSource: Hewlett-Packard Company, HP Software Security Response Team\n\nVULNERABILITY SUMMARY\nA potential security vulnerability has been identified with HP IceWall SSO\nDfw , SSO Certd, and MCRP running OpenSSL. \n\nThis is the SSLv3 vulnerability known as \"Padding Oracle on Downgraded Legacy\nEncryption\" or \"Poodle\", which could be exploited remotely resulting in\ndisclosure of information.. \n\nReferences: CVE-2014-3566 (SSRT101789)\n\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. \n\n  - HP IceWall MCRP v2.1, v3.0\n  - HP IceWall SSO Dfw v8.0, v8.0 R1, v8.0 R2, v8.0 R3, and v10.0\n  - HP IceWall SSO Certd v8.0R3 with DB plugin patch 2 and v10.0\n\nBACKGROUND\n\nCVSS 2.0 Base Metrics\n===========================================================\n  Reference              Base Vector             Base Score\nCVE-2014-3566    (AV:N/AC:M/Au:N/C:P/I:N/A:N)       4.3\n===========================================================\n             Information on CVSS is documented\n            in HP Customer Notice: HPSN-2008-002\n\nRESOLUTION\n\nHP recommends the following software updates and workaround instructions to\nresolve this vulnerability for HP IceWall SSO Dfw, SSO Certd, and MCRP. \n\n  The software updates are available at:\n\n     http://www.hp.com/jp/icewall_patchaccess\n\n  Notes:\n\n    - There are no updates or mitigations for MCRP 2.1 and Dfw\n8.0/8.0R1/8.0R2/8.0R3. \n    - HP recommends updating these older versions to the latest versions and\npatches and then following the WORKAROUND INSTRUCTIONS below. \n    - The WORKAROUND INSTRUCTIONS should be followed after applying the\nfollowing updates. \n\n  Software Update Versions\n\n    HP IceWall MCRP 3.0 Patch release 1\n\n    HP IceWall SSO Dfw 10.0 Patch release 7\n\n  Note: Both software update versions provide the use of TLSv1 which is not\nvulnerable and available for each supported platform. \n\nWORKAROUND INSTRUCTIONS\n\n  HP recommends the following information to protect against potential risk\nfor the following HP IceWall products. \n\n    HP IceWall SSO Dfw and MCRP\n\n      - If possible, do not use the SHOST setting which allows IceWall SSO\nDfw or MCRP to use SSL/TLS protocol to back-end web servers. \n\n      - The following steps should be applied if SSL/TLS protocol to back-end\nweb servers must be used:\n\n        o For MCRP: apply MCRP patch release 1\n        o For Dfw: apply Dfw patch release 7 or later\n        o Set SSL_PROTOCOL parameter to TLSv1\n\n    HP IceWall SSO Certd\n\n      - For Certd version 10.0 and 8.0R3: apply DB plugin patch release 2\n\n      - If possible, do not use the LDAPSSL setting which allows IceWall SSO\nCertd to connect to the LDAP server using SSL/TLS protocol. \n\n      - If SSL/TLS protocol must be used to LDAP server, configure the LDAP\nserver to use only TLSv1 as a mitigation for the vulnerability. For example,\non an OpenLDAP server (slapd), Set the TLSProtocolMin parameter. \n\nNote: The HP IceWall product is only available in Japan. \n\nHISTORY\nVersion:1 (rev.1) - 10 November 2014 Initial release\n\nThird Party Security Patches: Third party security patches that are to be\ninstalled on systems running HP software products should be applied in\naccordance with the customer\u0027s patch management policy. \n\nSupport: For issues about implementing the recommendations of this Security\nBulletin, contact normal HP Services support channel.  For other issues about\nthe content of this Security Bulletin, send e-mail to security-alert@hp.com. \n\nReport: To report a potential security vulnerability with any HP supported\nproduct, send Email to: security-alert@hp.com\n\nSubscribe: To initiate a subscription to receive future HP Security Bulletin\nalerts via Email:\nhttp://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins\n\nSecurity Bulletin Archive: A list of recently released Security Bulletins is\navailable here:\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/\n\nSoftware Product Category: The Software Product Category is represented in\nthe title by the two characters following HPSB. \n\n3C = 3COM\n3P = 3rd Party Software\nGN = HP General Software\nHF = HP Hardware and Firmware\nMP = MPE/iX\nMU = Multi-Platform Software\nNS = NonStop Servers\nOV = OpenVMS\nPI = Printing and Imaging\nPV = ProCurve\nST = Storage Software\nTU = Tru64 UNIX\nUX = HP-UX\n\nCopyright 2014 Hewlett-Packard Development Company, L.P. \nHewlett-Packard Company shall not be liable for technical or editorial errors\nor omissions contained herein. The information provided is provided \"as is\"\nwithout warranty of any kind. To the extent permitted by law, neither HP or\nits affiliates, subcontractors or suppliers will be liable for\nincidental,special or consequential damages including downtime cost; lost\nprofits; damages relating to the procurement of substitute products or\nservices; or damages for loss of data, or software restoration. The\ninformation in this document is subject to change without notice. \nHewlett-Packard Company and the names of Hewlett-Packard products referenced\nherein are trademarks of Hewlett-Packard Company in the United States and\nother countries. Other product and company names mentioned herein may be\ntrademarks of their respective owners. \n\nHP SiteScope 11.1x\nHP SiteScope 11.2x\n\nImportant note: HP SiteScope is impacted if and only if it is configured to\nwork over secure channel (HTTPS). This protocol is now disabled by default. \n\nFor the oldstable distribution (wheezy), this problem has been fixed\nin version 1.4.31-4+deb7u4. \n\nWe recommend that you upgrade your lighttpd packages",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2014-3566"
          },
          {
            "db": "BID",
            "id": "70574"
          },
          {
            "db": "VULHUB",
            "id": "VHN-71506"
          },
          {
            "db": "VULMON",
            "id": "CVE-2014-3566"
          },
          {
            "db": "PACKETSTORM",
            "id": "169664"
          },
          {
            "db": "PACKETSTORM",
            "id": "137294"
          },
          {
            "db": "PACKETSTORM",
            "id": "132641"
          },
          {
            "db": "PACKETSTORM",
            "id": "129266"
          },
          {
            "db": "PACKETSTORM",
            "id": "129178"
          },
          {
            "db": "PACKETSTORM",
            "id": "130334"
          },
          {
            "db": "PACKETSTORM",
            "id": "128921"
          },
          {
            "db": "PACKETSTORM",
            "id": "136577"
          },
          {
            "db": "PACKETSTORM",
            "id": "129071"
          },
          {
            "db": "PACKETSTORM",
            "id": "129065"
          },
          {
            "db": "PACKETSTORM",
            "id": "135908"
          }
        ],
        "trust": 2.34
      },
      "exploit_availability": {
        "_id": null,
        "data": [
          {
            "reference": "https://www.scap.org.cn/vuln/vhn-71506",
            "trust": 0.1,
            "type": "unknown"
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-71506"
          }
        ]
      },
      "external_ids": {
        "_id": null,
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2014-3566",
            "trust": 2.6
          },
          {
            "db": "BID",
            "id": "70574",
            "trust": 1.4
          },
          {
            "db": "ICS CERT",
            "id": "ICSMA-18-058-02",
            "trust": 1.1
          },
          {
            "db": "SECUNIA",
            "id": "61130",
            "trust": 1.1
          },
          {
            "db": "SECUNIA",
            "id": "61995",
            "trust": 1.1
          },
          {
            "db": "SECUNIA",
            "id": "60792",
            "trust": 1.1
          },
          {
            "db": "SECUNIA",
            "id": "61019",
            "trust": 1.1
          },
          {
            "db": "SECUNIA",
            "id": "61316",
            "trust": 1.1
          },
          {
            "db": "SECUNIA",
            "id": "61827",
            "trust": 1.1
          },
          {
            "db": "SECUNIA",
            "id": "61782",
            "trust": 1.1
          },
          {
            "db": "SECUNIA",
            "id": "60056",
            "trust": 1.1
          },
          {
            "db": "SECUNIA",
            "id": "61810",
            "trust": 1.1
          },
          {
            "db": "SECUNIA",
            "id": "61819",
            "trust": 1.1
          },
          {
            "db": "SECUNIA",
            "id": "61825",
            "trust": 1.1
          },
          {
            "db": "SECUNIA",
            "id": "60206",
            "trust": 1.1
          },
          {
            "db": "SECUNIA",
            "id": "61303",
            "trust": 1.1
          },
          {
            "db": "SECUNIA",
            "id": "61359",
            "trust": 1.1
          },
          {
            "db": "SECUNIA",
            "id": "61345",
            "trust": 1.1
          },
          {
            "db": "SECUNIA",
            "id": "59627",
            "trust": 1.1
          },
          {
            "db": "SECUNIA",
            "id": "60859",
            "trust": 1.1
          },
          {
            "db": "SECUNIA",
            "id": "61926",
            "trust": 1.1
          },
          {
            "db": "SECTRACK",
            "id": "1031120",
            "trust": 1.1
          },
          {
            "db": "SECTRACK",
            "id": "1031106",
            "trust": 1.1
          },
          {
            "db": "SECTRACK",
            "id": "1031124",
            "trust": 1.1
          },
          {
            "db": "SECTRACK",
            "id": "1031091",
            "trust": 1.1
          },
          {
            "db": "SECTRACK",
            "id": "1031095",
            "trust": 1.1
          },
          {
            "db": "SECTRACK",
            "id": "1031088",
            "trust": 1.1
          },
          {
            "db": "SECTRACK",
            "id": "1031093",
            "trust": 1.1
          },
          {
            "db": "SECTRACK",
            "id": "1031105",
            "trust": 1.1
          },
          {
            "db": "SECTRACK",
            "id": "1031094",
            "trust": 1.1
          },
          {
            "db": "SECTRACK",
            "id": "1031087",
            "trust": 1.1
          },
          {
            "db": "SECTRACK",
            "id": "1031090",
            "trust": 1.1
          },
          {
            "db": "SECTRACK",
            "id": "1031107",
            "trust": 1.1
          },
          {
            "db": "SECTRACK",
            "id": "1031132",
            "trust": 1.1
          },
          {
            "db": "SECTRACK",
            "id": "1031085",
            "trust": 1.1
          },
          {
            "db": "SECTRACK",
            "id": "1031039",
            "trust": 1.1
          },
          {
            "db": "SECTRACK",
            "id": "1031096",
            "trust": 1.1
          },
          {
            "db": "SECTRACK",
            "id": "1031131",
            "trust": 1.1
          },
          {
            "db": "SECTRACK",
            "id": "1031029",
            "trust": 1.1
          },
          {
            "db": "SECTRACK",
            "id": "1031123",
            "trust": 1.1
          },
          {
            "db": "SECTRACK",
            "id": "1031086",
            "trust": 1.1
          },
          {
            "db": "SECTRACK",
            "id": "1031130",
            "trust": 1.1
          },
          {
            "db": "SECTRACK",
            "id": "1031092",
            "trust": 1.1
          },
          {
            "db": "SECTRACK",
            "id": "1031089",
            "trust": 1.1
          },
          {
            "db": "USCERT",
            "id": "TA14-290A",
            "trust": 1.1
          },
          {
            "db": "MCAFEE",
            "id": "SB10091",
            "trust": 1.1
          },
          {
            "db": "MCAFEE",
            "id": "SB10104",
            "trust": 1.1
          },
          {
            "db": "MCAFEE",
            "id": "SB10090",
            "trust": 1.1
          },
          {
            "db": "CERT/CC",
            "id": "VU#577193",
            "trust": 1.1
          },
          {
            "db": "JUNIPER",
            "id": "JSA10705",
            "trust": 1.1
          },
          {
            "db": "PACKETSTORM",
            "id": "128921",
            "trust": 0.2
          },
          {
            "db": "PACKETSTORM",
            "id": "129065",
            "trust": 0.2
          },
          {
            "db": "PACKETSTORM",
            "id": "129266",
            "trust": 0.2
          },
          {
            "db": "PACKETSTORM",
            "id": "132641",
            "trust": 0.2
          },
          {
            "db": "PACKETSTORM",
            "id": "136577",
            "trust": 0.2
          },
          {
            "db": "PACKETSTORM",
            "id": "130334",
            "trust": 0.2
          },
          {
            "db": "PACKETSTORM",
            "id": "129071",
            "trust": 0.2
          },
          {
            "db": "PACKETSTORM",
            "id": "135908",
            "trust": 0.2
          },
          {
            "db": "PACKETSTORM",
            "id": "131009",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "130184",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "131051",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "128838",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "130217",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "130296",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "129150",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "132084",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "132573",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "131354",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "128969",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "132469",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "128669",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "128866",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "129265",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "129217",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "136599",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "133640",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "129263",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "129614",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "130759",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "131011",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "139063",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "128863",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "130332",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "128730",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "130298",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "131690",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "128770",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "130125",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "128732",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "128733",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "130816",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "129528",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "130052",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "129294",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "132470",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "133836",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "129242",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "129401",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "130304",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "130549",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "129427",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "130085",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "131008",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "137652",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "130046",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "130086",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "128769",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "130141",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "131535",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "130181",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "133368",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "132942",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "130070",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "129318",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "132965",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "131790",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "130818",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "130817",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "128771",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "130050",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "133600",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "130072",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "129120",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "129426",
            "trust": 0.1
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201410-267",
            "trust": 0.1
          },
          {
            "db": "SEEBUG",
            "id": "SSVID-92692",
            "trust": 0.1
          },
          {
            "db": "VULHUB",
            "id": "VHN-71506",
            "trust": 0.1
          },
          {
            "db": "VULMON",
            "id": "CVE-2014-3566",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "169664",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "137294",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "129178",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-71506"
          },
          {
            "db": "VULMON",
            "id": "CVE-2014-3566"
          },
          {
            "db": "BID",
            "id": "70574"
          },
          {
            "db": "PACKETSTORM",
            "id": "169664"
          },
          {
            "db": "PACKETSTORM",
            "id": "137294"
          },
          {
            "db": "PACKETSTORM",
            "id": "132641"
          },
          {
            "db": "PACKETSTORM",
            "id": "129266"
          },
          {
            "db": "PACKETSTORM",
            "id": "129178"
          },
          {
            "db": "PACKETSTORM",
            "id": "130334"
          },
          {
            "db": "PACKETSTORM",
            "id": "128921"
          },
          {
            "db": "PACKETSTORM",
            "id": "136577"
          },
          {
            "db": "PACKETSTORM",
            "id": "129071"
          },
          {
            "db": "PACKETSTORM",
            "id": "129065"
          },
          {
            "db": "PACKETSTORM",
            "id": "135908"
          },
          {
            "db": "NVD",
            "id": "CVE-2014-3566"
          }
        ]
      },
      "id": "VAR-201410-1418",
      "iot": {
        "_id": null,
        "data": true,
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-71506"
          }
        ],
        "trust": 0.5931986333333333
      },
      "last_update_date": "2026-04-10T23:34:59.740000Z",
      "patch": {
        "_id": null,
        "data": [
          {
            "title": "Debian Security Advisories: DSA-3489-1 lighttpd -- security update",
            "trust": 0.1,
            "url": "https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories\u0026qid=dcb828f6dad683ea0da76b6c62cde0ea"
          },
          {
            "title": "HP: SUPPORT COMMUNICATION- SECURITY BULLETIN\nHPSBPI03360 rev.5 - HP LaserJet Printers and MFPs, HP OfficeJet Printers and MFPs, and HP JetDirect Networking cards using OpenSSL, Remote Disclosure of Information",
            "trust": 0.1,
            "url": "https://vulmon.com/vendoradvisory?qidtp=hp_bulletin\u0026qid=4545b8bd124b33fa1434a34c59003fd5"
          },
          {
            "title": "HP: HPSBPI03360 rev.5 - HP LaserJet Printers and MFPs, HP OfficeJet Printers and MFPs, and HP JetDirect Networking cards using OpenSSL, Remote Disclosure of Information",
            "trust": 0.1,
            "url": "https://vulmon.com/vendoradvisory?qidtp=hp_bulletin\u0026qid=HPSBPI03360"
          },
          {
            "title": "Debian CVElist Bug Report Logs: Not possible to disable SSLv3",
            "trust": 0.1,
            "url": "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs\u0026qid=cd46735759deed658e1e15bd89794f91"
          },
          {
            "title": "Amazon Linux AMI: ALAS-2014-426",
            "trust": 0.1,
            "url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami\u0026qid=ALAS-2014-426"
          },
          {
            "title": "Red Hat: CVE-2014-3566",
            "trust": 0.1,
            "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database\u0026qid=CVE-2014-3566"
          },
          {
            "title": "Amazon Linux AMI: ALAS-2014-429",
            "trust": 0.1,
            "url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami\u0026qid=ALAS-2014-429"
          },
          {
            "title": "HP: SUPPORT COMMUNICATION- SECURITY BULLETIN\nHPSBPI03360 rev.5 - HP LaserJet Printers and MFPs, HP OfficeJet Printers and MFPs, and HP JetDirect Networking cards using OpenSSL, Remote Disclosure of Information",
            "trust": 0.1,
            "url": "https://vulmon.com/vendoradvisory?qidtp=hp_bulletin\u0026qid=9e10ca91834a4f14416f4e75e776c6b6"
          },
          {
            "title": "Red Hat: Important: java-1.6.0-openjdk security update",
            "trust": 0.1,
            "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20150085 - Security Advisory"
          },
          {
            "title": "Red Hat: Critical: java-1.7.0-openjdk security update",
            "trust": 0.1,
            "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20150067 - Security Advisory"
          },
          {
            "title": "Debian Security Advisories: DSA-3253-1 pound -- security update",
            "trust": 0.1,
            "url": "https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories\u0026qid=ad76a2fc91623114f1aaa478b7ecbe12"
          },
          {
            "title": "Red Hat: Important: java-1.7.0-openjdk security update",
            "trust": 0.1,
            "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20150068 - Security Advisory"
          },
          {
            "title": "Red Hat: Important: java-1.8.0-openjdk security update",
            "trust": 0.1,
            "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20150069 - Security Advisory"
          },
          {
            "title": "Red Hat: Critical: java-1.7.0-oracle security update",
            "trust": 0.1,
            "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20150079 - Security Advisory"
          },
          {
            "title": "Red Hat: Important: java-1.6.0-sun security update",
            "trust": 0.1,
            "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20150086 - Security Advisory"
          },
          {
            "title": "Debian Security Advisories: DSA-3053-1 openssl -- security update",
            "trust": 0.1,
            "url": "https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories\u0026qid=89bdef3607a7448566a930eca0e94cb3"
          },
          {
            "title": "Symantec Security Advisories: SA83 : SSL v3 Poodle Attack",
            "trust": 0.1,
            "url": "https://vulmon.com/vendoradvisory?qidtp=symantec_security_advisories\u0026qid=3703d1b5dc42da47d311d20afe00de22"
          },
          {
            "title": "Red Hat: Critical: java-1.8.0-oracle security update",
            "trust": 0.1,
            "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20150080 - Security Advisory"
          },
          {
            "title": "Cisco: SSL-TLS Implementations Cipher Block Chaining Padding Information Disclosure Vulnerability",
            "trust": 0.1,
            "url": "https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts\u0026qid=Cisco-SA-20141211-CVE-2014-8730"
          },
          {
            "title": "Debian CVElist Bug Report Logs: asterisk: CVE-2014-9374",
            "trust": 0.1,
            "url": "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs\u0026qid=5ec9c01ff2551bc64f61573dcb290621"
          },
          {
            "title": "Citrix Security Bulletins: CVE-2014-3566 - Citrix Security Advisory for SSLv3 Protocol Flaw",
            "trust": 0.1,
            "url": "https://vulmon.com/vendoradvisory?qidtp=citrix_security_bulletins\u0026qid=510bf83b7458a7704870eecdfadf5704"
          },
          {
            "title": "Debian CVElist Bug Report Logs: CVE-2014-8418 CVE-2014-8412 CVE-2014-8414 CVE-2014-8417",
            "trust": 0.1,
            "url": "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs\u0026qid=ea75db152315222e9fc0490c8b65fb98"
          },
          {
            "title": "Tenable Security Advisories: [R6] SSLv3 Protocol Vulnerability Affects Tenable Products (POODLE)",
            "trust": 0.1,
            "url": "https://vulmon.com/vendoradvisory?qidtp=tenable_security_advisories\u0026qid=TNS-2014-09"
          },
          {
            "title": "Ubuntu Security Notice: openjdk-7 vulnerabilities",
            "trust": 0.1,
            "url": "https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice\u0026qid=USN-2487-1"
          },
          {
            "title": "Debian Security Advisories: DSA-3144-1 openjdk-7 -- security update",
            "trust": 0.1,
            "url": "https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories\u0026qid=d750da8121d006282839ec576885794b"
          },
          {
            "title": "Red Hat: Low: Red Hat Satellite IBM Java Runtime security update",
            "trust": 0.1,
            "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20150264 - Security Advisory"
          },
          {
            "title": "Debian Security Advisories: DSA-3147-1 openjdk-6 -- security update",
            "trust": 0.1,
            "url": "https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories\u0026qid=f0587b999035ec3e03b0795bc92b0a31"
          },
          {
            "title": "Ubuntu Security Notice: openjdk-6 vulnerabilities",
            "trust": 0.1,
            "url": "https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice\u0026qid=USN-2486-1"
          },
          {
            "title": "Amazon Linux AMI: ALAS-2015-480",
            "trust": 0.1,
            "url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami\u0026qid=ALAS-2015-480"
          },
          {
            "title": "Amazon Linux AMI: ALAS-2015-471",
            "trust": 0.1,
            "url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami\u0026qid=ALAS-2015-471"
          },
          {
            "title": "Huawei Security Advisories: Huawei PSIRT: Technical Analysis Report Regarding Finite State Supply Chain Assessment",
            "trust": 0.1,
            "url": "https://vulmon.com/vendoradvisory?qidtp=huawei_security_advisories\u0026qid=73885f997edba4cefdd6ba9030e87bdc"
          },
          {
            "title": "mangy-beast",
            "trust": 0.1,
            "url": "https://github.com/ashmastaflash/mangy-beast "
          },
          {
            "title": "BASH_froggPoodler",
            "trust": 0.1,
            "url": "https://github.com/FroggDev/BASH_froggPoodler "
          },
          {
            "title": "lacework-kaholo-autoremediation",
            "trust": 0.1,
            "url": "https://github.com/automatecloud/lacework-kaholo-autoremediation "
          },
          {
            "title": "bouncer",
            "trust": 0.1,
            "url": "https://github.com/ggrandes/bouncer "
          },
          {
            "title": "voipnowpatches",
            "trust": 0.1,
            "url": "https://github.com/4psa/voipnowpatches "
          },
          {
            "title": "ric13351",
            "trust": 0.1,
            "url": "https://github.com/bjayesh/ric13351 "
          },
          {
            "title": "squeeze-lighttpd-poodle",
            "trust": 0.1,
            "url": "https://github.com/matjohns/squeeze-lighttpd-poodle "
          },
          {
            "title": "poodle_check",
            "trust": 0.1,
            "url": "https://github.com/rameezts/poodle_check "
          },
          {
            "title": "poodle_protector",
            "trust": 0.1,
            "url": "https://github.com/stdevel/poodle_protector "
          },
          {
            "title": "bouncer",
            "trust": 0.1,
            "url": "https://github.com/TechPorter20/bouncer "
          },
          {
            "title": "aws_poodle_fix",
            "trust": 0.1,
            "url": "https://github.com/rvaralda/aws_poodle_fix "
          },
          {
            "title": "dnsmanagerpatches",
            "trust": 0.1,
            "url": "https://github.com/4psa/dnsmanagerpatches "
          },
          {
            "title": "",
            "trust": 0.1,
            "url": "https://github.com/Wanderwille/13.01 "
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2014-3566"
          }
        ]
      },
      "problemtype_data": {
        "_id": null,
        "data": [
          {
            "problemtype": "CWE-310",
            "trust": 1.1
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-71506"
          },
          {
            "db": "NVD",
            "id": "CVE-2014-3566"
          }
        ]
      },
      "references": {
        "_id": null,
        "data": [
          {
            "trust": 1.2,
            "url": "https://security.gentoo.org/glsa/201507-14"
          },
          {
            "trust": 1.2,
            "url": "http://rhn.redhat.com/errata/rhsa-2014-1876.html"
          },
          {
            "trust": 1.2,
            "url": "https://www-01.ibm.com/support/docview.wss?uid=swg21688165"
          },
          {
            "trust": 1.2,
            "url": "https://www.openssl.org/news/secadv_20141015.txt"
          },
          {
            "trust": 1.2,
            "url": "https://www.openssl.org/~bodo/ssl-poodle.pdf"
          },
          {
            "trust": 1.1,
            "url": "http://www.securitytracker.com/id/1031029"
          },
          {
            "trust": 1.1,
            "url": "http://www.securitytracker.com/id/1031039"
          },
          {
            "trust": 1.1,
            "url": "http://www.securitytracker.com/id/1031085"
          },
          {
            "trust": 1.1,
            "url": "http://www.securitytracker.com/id/1031086"
          },
          {
            "trust": 1.1,
            "url": "http://www.securitytracker.com/id/1031087"
          },
          {
            "trust": 1.1,
            "url": "http://www.securitytracker.com/id/1031088"
          },
          {
            "trust": 1.1,
            "url": "http://www.securitytracker.com/id/1031089"
          },
          {
            "trust": 1.1,
            "url": "http://www.securitytracker.com/id/1031090"
          },
          {
            "trust": 1.1,
            "url": "http://www.securitytracker.com/id/1031091"
          },
          {
            "trust": 1.1,
            "url": "http://www.securitytracker.com/id/1031092"
          },
          {
            "trust": 1.1,
            "url": "http://www.securitytracker.com/id/1031093"
          },
          {
            "trust": 1.1,
            "url": "http://www.securitytracker.com/id/1031094"
          },
          {
            "trust": 1.1,
            "url": "http://www.securitytracker.com/id/1031095"
          },
          {
            "trust": 1.1,
            "url": "http://www.securitytracker.com/id/1031096"
          },
          {
            "trust": 1.1,
            "url": "http://www.securitytracker.com/id/1031105"
          },
          {
            "trust": 1.1,
            "url": "http://www.securitytracker.com/id/1031106"
          },
          {
            "trust": 1.1,
            "url": "http://www.securitytracker.com/id/1031107"
          },
          {
            "trust": 1.1,
            "url": "http://www.securitytracker.com/id/1031120"
          },
          {
            "trust": 1.1,
            "url": "http://www.securitytracker.com/id/1031123"
          },
          {
            "trust": 1.1,
            "url": "http://www.securitytracker.com/id/1031124"
          },
          {
            "trust": 1.1,
            "url": "http://www.securitytracker.com/id/1031130"
          },
          {
            "trust": 1.1,
            "url": "http://www.securitytracker.com/id/1031131"
          },
          {
            "trust": 1.1,
            "url": "http://www.securitytracker.com/id/1031132"
          },
          {
            "trust": 1.1,
            "url": "http://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20141015-poodle"
          },
          {
            "trust": 1.1,
            "url": "http://secunia.com/advisories/59627"
          },
          {
            "trust": 1.1,
            "url": "http://secunia.com/advisories/60056"
          },
          {
            "trust": 1.1,
            "url": "http://secunia.com/advisories/60206"
          },
          {
            "trust": 1.1,
            "url": "http://secunia.com/advisories/60792"
          },
          {
            "trust": 1.1,
            "url": "http://secunia.com/advisories/60859"
          },
          {
            "trust": 1.1,
            "url": "http://secunia.com/advisories/61019"
          },
          {
            "trust": 1.1,
            "url": "http://secunia.com/advisories/61130"
          },
          {
            "trust": 1.1,
            "url": "http://secunia.com/advisories/61303"
          },
          {
            "trust": 1.1,
            "url": "http://secunia.com/advisories/61316"
          },
          {
            "trust": 1.1,
            "url": "http://secunia.com/advisories/61345"
          },
          {
            "trust": 1.1,
            "url": "http://secunia.com/advisories/61359"
          },
          {
            "trust": 1.1,
            "url": "http://secunia.com/advisories/61782"
          },
          {
            "trust": 1.1,
            "url": "http://secunia.com/advisories/61810"
          },
          {
            "trust": 1.1,
            "url": "http://secunia.com/advisories/61819"
          },
          {
            "trust": 1.1,
            "url": "http://secunia.com/advisories/61825"
          },
          {
            "trust": 1.1,
            "url": "http://secunia.com/advisories/61827"
          },
          {
            "trust": 1.1,
            "url": "http://secunia.com/advisories/61926"
          },
          {
            "trust": 1.1,
            "url": "http://secunia.com/advisories/61995"
          },
          {
            "trust": 1.1,
            "url": "http://www.securityfocus.com/bid/70574"
          },
          {
            "trust": 1.1,
            "url": "http://archives.neohapsis.com/archives/bugtraq/2014-10/0101.html"
          },
          {
            "trust": 1.1,
            "url": "http://archives.neohapsis.com/archives/bugtraq/2014-10/0103.html"
          },
          {
            "trust": 1.1,
            "url": "http://www.securityfocus.com/archive/1/533724/100/0/threaded"
          },
          {
            "trust": 1.1,
            "url": "http://www.securityfocus.com/archive/1/533747"
          },
          {
            "trust": 1.1,
            "url": "http://www.securityfocus.com/archive/1/533746"
          },
          {
            "trust": 1.1,
            "url": "http://lists.apple.com/archives/security-announce/2015/jan/msg00003.html"
          },
          {
            "trust": 1.1,
            "url": "http://lists.apple.com/archives/security-announce/2015/sep/msg00002.html"
          },
          {
            "trust": 1.1,
            "url": "http://www.debian.org/security/2014/dsa-3053"
          },
          {
            "trust": 1.1,
            "url": "http://www.debian.org/security/2015/dsa-3144"
          },
          {
            "trust": 1.1,
            "url": "http://www.debian.org/security/2015/dsa-3147"
          },
          {
            "trust": 1.1,
            "url": "http://www.debian.org/security/2015/dsa-3253"
          },
          {
            "trust": 1.1,
            "url": "http://www.debian.org/security/2016/dsa-3489"
          },
          {
            "trust": 1.1,
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-november/142330.html"
          },
          {
            "trust": 1.1,
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-october/141158.html"
          },
          {
            "trust": 1.1,
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-october/141114.html"
          },
          {
            "trust": 1.1,
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-october/169374.html"
          },
          {
            "trust": 1.1,
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-october/169361.html"
          },
          {
            "trust": 1.1,
            "url": "https://security.gentoo.org/glsa/201606-11"
          },
          {
            "trust": 1.1,
            "url": "http://h20564.www2.hp.com/hpsc/doc/public/display?docid=emr_na-c04583581"
          },
          {
            "trust": 1.1,
            "url": "http://www.mandriva.com/security/advisories?name=mdvsa-2014:203"
          },
          {
            "trust": 1.1,
            "url": "http://www.mandriva.com/security/advisories?name=mdvsa-2015:062"
          },
          {
            "trust": 1.1,
            "url": "ftp://ftp.netbsd.org/pub/netbsd/security/advisories/netbsd-sa2014-015.txt.asc"
          },
          {
            "trust": 1.1,
            "url": "http://rhn.redhat.com/errata/rhsa-2014-1652.html"
          },
          {
            "trust": 1.1,
            "url": "http://rhn.redhat.com/errata/rhsa-2014-1653.html"
          },
          {
            "trust": 1.1,
            "url": "http://rhn.redhat.com/errata/rhsa-2014-1692.html"
          },
          {
            "trust": 1.1,
            "url": "http://rhn.redhat.com/errata/rhsa-2014-1877.html"
          },
          {
            "trust": 1.1,
            "url": "http://rhn.redhat.com/errata/rhsa-2014-1880.html"
          },
          {
            "trust": 1.1,
            "url": "http://rhn.redhat.com/errata/rhsa-2014-1881.html"
          },
          {
            "trust": 1.1,
            "url": "http://rhn.redhat.com/errata/rhsa-2014-1882.html"
          },
          {
            "trust": 1.1,
            "url": "http://rhn.redhat.com/errata/rhsa-2014-1920.html"
          },
          {
            "trust": 1.1,
            "url": "http://rhn.redhat.com/errata/rhsa-2014-1948.html"
          },
          {
            "trust": 1.1,
            "url": "http://rhn.redhat.com/errata/rhsa-2015-0068.html"
          },
          {
            "trust": 1.1,
            "url": "http://rhn.redhat.com/errata/rhsa-2015-0079.html"
          },
          {
            "trust": 1.1,
            "url": "http://rhn.redhat.com/errata/rhsa-2015-0080.html"
          },
          {
            "trust": 1.1,
            "url": "http://rhn.redhat.com/errata/rhsa-2015-0085.html"
          },
          {
            "trust": 1.1,
            "url": "http://rhn.redhat.com/errata/rhsa-2015-0086.html"
          },
          {
            "trust": 1.1,
            "url": "http://rhn.redhat.com/errata/rhsa-2015-0264.html"
          },
          {
            "trust": 1.1,
            "url": "http://rhn.redhat.com/errata/rhsa-2015-0698.html"
          },
          {
            "trust": 1.1,
            "url": "http://rhn.redhat.com/errata/rhsa-2015-1545.html"
          },
          {
            "trust": 1.1,
            "url": "http://rhn.redhat.com/errata/rhsa-2015-1546.html"
          },
          {
            "trust": 1.1,
            "url": "http://lists.opensuse.org/opensuse-security-announce/2014-11/msg00001.html"
          },
          {
            "trust": 1.1,
            "url": "http://lists.opensuse.org/opensuse-security-announce/2014-11/msg00003.html"
          },
          {
            "trust": 1.1,
            "url": "http://lists.opensuse.org/opensuse-security-announce/2014-11/msg00021.html"
          },
          {
            "trust": 1.1,
            "url": "http://lists.opensuse.org/opensuse-security-announce/2014-12/msg00002.html"
          },
          {
            "trust": 1.1,
            "url": "http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00024.html"
          },
          {
            "trust": 1.1,
            "url": "http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00026.html"
          },
          {
            "trust": 1.1,
            "url": "http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00027.html"
          },
          {
            "trust": 1.1,
            "url": "http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00033.html"
          },
          {
            "trust": 1.1,
            "url": "http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00036.html"
          },
          {
            "trust": 1.1,
            "url": "http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00018.html"
          },
          {
            "trust": 1.1,
            "url": "http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00027.html"
          },
          {
            "trust": 1.1,
            "url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00066.html"
          },
          {
            "trust": 1.1,
            "url": "http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00000.html"
          },
          {
            "trust": 1.1,
            "url": "http://www.us-cert.gov/ncas/alerts/ta14-290a"
          },
          {
            "trust": 1.1,
            "url": "http://www.ubuntu.com/usn/usn-2486-1"
          },
          {
            "trust": 1.1,
            "url": "http://www.ubuntu.com/usn/usn-2487-1"
          },
          {
            "trust": 1.1,
            "url": "http://www.kb.cert.org/vuls/id/577193"
          },
          {
            "trust": 1.1,
            "url": "https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3ccommits.cxf.apache.org%3e"
          },
          {
            "trust": 1.1,
            "url": "https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3ccommits.cxf.apache.org%3e"
          },
          {
            "trust": 1.1,
            "url": "https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3ccommits.cxf.apache.org%3e"
          },
          {
            "trust": 1.1,
            "url": "https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3ccommits.cxf.apache.org%3e"
          },
          {
            "trust": 1.1,
            "url": "https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3ccommits.cxf.apache.org%3e"
          },
          {
            "trust": 1.1,
            "url": "https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3ccommits.cxf.apache.org%3e"
          },
          {
            "trust": 1.1,
            "url": "http://advisories.mageia.org/mgasa-2014-0416.html"
          },
          {
            "trust": 1.1,
            "url": "http://aix.software.ibm.com/aix/efixes/security/openssl_advisory11.asc"
          },
          {
            "trust": 1.1,
            "url": "http://askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566"
          },
          {
            "trust": 1.1,
            "url": "http://blog.cryptographyengineering.com/2014/10/attack-of-week-poodle.html"
          },
          {
            "trust": 1.1,
            "url": "http://blog.nodejs.org/2014/10/23/node-v0-10-33-stable/"
          },
          {
            "trust": 1.1,
            "url": "http://blogs.technet.com/b/msrc/archive/2014/10/14/security-advisory-3009008-released.aspx"
          },
          {
            "trust": 1.1,
            "url": "http://docs.ipswitch.com/moveit/dmz82/releasenotes/moveitreleasenotes82.pdf"
          },
          {
            "trust": 1.1,
            "url": "http://downloads.asterisk.org/pub/security/ast-2014-011.html"
          },
          {
            "trust": 1.1,
            "url": "http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html"
          },
          {
            "trust": 1.1,
            "url": "http://h20564.www2.hpe.com/hpsc/doc/public/display?docid=emr_na-c04779034"
          },
          {
            "trust": 1.1,
            "url": "http://people.canonical.com/~ubuntu-security/cve/2014/cve-2014-3566.html"
          },
          {
            "trust": 1.1,
            "url": "http://support.apple.com/ht204244"
          },
          {
            "trust": 1.1,
            "url": "http://support.citrix.com/article/ctx200238"
          },
          {
            "trust": 1.1,
            "url": "http://www-01.ibm.com/support/docview.wss?uid=isg3t1021431"
          },
          {
            "trust": 1.1,
            "url": "http://www-01.ibm.com/support/docview.wss?uid=isg3t1021439"
          },
          {
            "trust": 1.1,
            "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21686997"
          },
          {
            "trust": 1.1,
            "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21687172"
          },
          {
            "trust": 1.1,
            "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21687611"
          },
          {
            "trust": 1.1,
            "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21688283"
          },
          {
            "trust": 1.1,
            "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21692299"
          },
          {
            "trust": 1.1,
            "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html"
          },
          {
            "trust": 1.1,
            "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html"
          },
          {
            "trust": 1.1,
            "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html"
          },
          {
            "trust": 1.1,
            "url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html"
          },
          {
            "trust": 1.1,
            "url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"
          },
          {
            "trust": 1.1,
            "url": "http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html"
          },
          {
            "trust": 1.1,
            "url": "http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html"
          },
          {
            "trust": 1.1,
            "url": "http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html"
          },
          {
            "trust": 1.1,
            "url": "http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html"
          },
          {
            "trust": 1.1,
            "url": "http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html"
          },
          {
            "trust": 1.1,
            "url": "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html"
          },
          {
            "trust": 1.1,
            "url": "http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html"
          },
          {
            "trust": 1.1,
            "url": "http://www.vmware.com/security/advisories/vmsa-2015-0003.html"
          },
          {
            "trust": 1.1,
            "url": "http://www.websense.com/support/article/kbarticle/vulnerabilities-resolved-in-triton-apx-version-8-0"
          },
          {
            "trust": 1.1,
            "url": "http://www1.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-405500.htm"
          },
          {
            "trust": 1.1,
            "url": "https://access.redhat.com/articles/1232123"
          },
          {
            "trust": 1.1,
            "url": "https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/"
          },
          {
            "trust": 1.1,
            "url": "https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_openssl6"
          },
          {
            "trust": 1.1,
            "url": "https://bto.bluecoat.com/security-advisory/sa83"
          },
          {
            "trust": 1.1,
            "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1076983"
          },
          {
            "trust": 1.1,
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1152789"
          },
          {
            "trust": 1.1,
            "url": "https://devcentral.f5.com/articles/cve-2014-3566-removing-sslv3-from-big-ip"
          },
          {
            "trust": 1.1,
            "url": "https://github.com/mpgn/poodle-poc"
          },
          {
            "trust": 1.1,
            "url": "https://groups.google.com/forum/#%21topic/docker-user/oym0i3xshju"
          },
          {
            "trust": 1.1,
            "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c04819635"
          },
          {
            "trust": 1.1,
            "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c05068681"
          },
          {
            "trust": 1.1,
            "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c05157667"
          },
          {
            "trust": 1.1,
            "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c05301946"
          },
          {
            "trust": 1.1,
            "url": "https://ics-cert.us-cert.gov/advisories/icsma-18-058-02"
          },
          {
            "trust": 1.1,
            "url": "https://puppet.com/security/cve/poodle-sslv3-vulnerability"
          },
          {
            "trust": 1.1,
            "url": "https://security.netapp.com/advisory/ntap-20141015-0001/"
          },
          {
            "trust": 1.1,
            "url": "https://support.apple.com/ht205217"
          },
          {
            "trust": 1.1,
            "url": "https://support.apple.com/kb/ht6527"
          },
          {
            "trust": 1.1,
            "url": "https://support.apple.com/kb/ht6529"
          },
          {
            "trust": 1.1,
            "url": "https://support.apple.com/kb/ht6531"
          },
          {
            "trust": 1.1,
            "url": "https://support.apple.com/kb/ht6535"
          },
          {
            "trust": 1.1,
            "url": "https://support.apple.com/kb/ht6536"
          },
          {
            "trust": 1.1,
            "url": "https://support.apple.com/kb/ht6541"
          },
          {
            "trust": 1.1,
            "url": "https://support.apple.com/kb/ht6542"
          },
          {
            "trust": 1.1,
            "url": "https://support.citrix.com/article/ctx216642"
          },
          {
            "trust": 1.1,
            "url": "https://support.lenovo.com/product_security/poodle"
          },
          {
            "trust": 1.1,
            "url": "https://support.lenovo.com/us/en/product_security/poodle"
          },
          {
            "trust": 1.1,
            "url": "https://technet.microsoft.com/library/security/3009008.aspx"
          },
          {
            "trust": 1.1,
            "url": "https://www.arista.com/en/support/advisories-notices/security-advisories/1015-security-advisory-7"
          },
          {
            "trust": 1.1,
            "url": "https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html"
          },
          {
            "trust": 1.1,
            "url": "https://www.dfranke.us/posts/2014-10-14-how-poodle-happened.html"
          },
          {
            "trust": 1.1,
            "url": "https://www.elastic.co/blog/logstash-1-4-3-released"
          },
          {
            "trust": 1.1,
            "url": "https://www.imperialviolet.org/2014/10/14/poodle.html"
          },
          {
            "trust": 1.1,
            "url": "https://www.suse.com/support/kb/doc.php?id=7015773"
          },
          {
            "trust": 1.1,
            "url": "http://lists.opensuse.org/opensuse-security-announce/2014-10/msg00008.html"
          },
          {
            "trust": 1.1,
            "url": "http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00001.html"
          },
          {
            "trust": 1.1,
            "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.html"
          },
          {
            "trust": 1.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2014-3566"
          },
          {
            "trust": 1.0,
            "url": "http://marc.info/?l=bugtraq\u0026m=141628688425177\u0026w=2"
          },
          {
            "trust": 1.0,
            "url": "http://marc.info/?l=bugtraq\u0026m=141879378918327\u0026w=2"
          },
          {
            "trust": 1.0,
            "url": "http://marc.info/?l=bugtraq\u0026m=142624719706349\u0026w=2"
          },
          {
            "trust": 1.0,
            "url": "http://marc.info/?l=bugtraq\u0026m=142805027510172\u0026w=2"
          },
          {
            "trust": 1.0,
            "url": "http://marc.info/?l=bugtraq\u0026m=142660345230545\u0026w=2"
          },
          {
            "trust": 1.0,
            "url": "http://marc.info/?l=bugtraq\u0026m=141697638231025\u0026w=2"
          },
          {
            "trust": 1.0,
            "url": "http://marc.info/?l=bugtraq\u0026m=143558192010071\u0026w=2"
          },
          {
            "trust": 1.0,
            "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=sb10104"
          },
          {
            "trust": 1.0,
            "url": "http://marc.info/?l=bugtraq\u0026m=142804214608580\u0026w=2"
          },
          {
            "trust": 1.0,
            "url": "http://marc.info/?l=bugtraq\u0026m=142103967620673\u0026w=2"
          },
          {
            "trust": 1.0,
            "url": "http://marc.info/?l=bugtraq\u0026m=142496355704097\u0026w=2"
          },
          {
            "trust": 1.0,
            "url": "http://marc.info/?l=bugtraq\u0026m=142624590206005\u0026w=2"
          },
          {
            "trust": 1.0,
            "url": "http://marc.info/?l=bugtraq\u0026m=142721830231196\u0026w=2"
          },
          {
            "trust": 1.0,
            "url": "http://marc.info/?l=bugtraq\u0026m=142118135300698\u0026w=2"
          },
          {
            "trust": 1.0,
            "url": "http://marc.info/?l=bugtraq\u0026m=142607790919348\u0026w=2"
          },
          {
            "trust": 1.0,
            "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=sb10091"
          },
          {
            "trust": 1.0,
            "url": "http://marc.info/?l=bugtraq\u0026m=142546741516006\u0026w=2"
          },
          {
            "trust": 1.0,
            "url": "http://marc.info/?l=bugtraq\u0026m=142350298616097\u0026w=2"
          },
          {
            "trust": 1.0,
            "url": "http://marc.info/?l=bugtraq\u0026m=142357976805598\u0026w=2"
          },
          {
            "trust": 1.0,
            "url": "http://marc.info/?l=bugtraq\u0026m=142495837901899\u0026w=2"
          },
          {
            "trust": 1.0,
            "url": "http://marc.info/?l=bugtraq\u0026m=141703183219781\u0026w=2"
          },
          {
            "trust": 1.0,
            "url": "http://marc.info/?l=bugtraq\u0026m=141577087123040\u0026w=2"
          },
          {
            "trust": 1.0,
            "url": "http://marc.info/?l=bugtraq\u0026m=143039249603103\u0026w=2"
          },
          {
            "trust": 1.0,
            "url": "http://marc.info/?l=bugtraq\u0026m=141813976718456\u0026w=2"
          },
          {
            "trust": 1.0,
            "url": "http://marc.info/?l=bugtraq\u0026m=141576815022399\u0026w=2"
          },
          {
            "trust": 1.0,
            "url": "http://marc.info/?l=openssl-dev\u0026m=141333049205629\u0026w=2"
          },
          {
            "trust": 1.0,
            "url": "http://marc.info/?l=bugtraq\u0026m=141450973807288\u0026w=2"
          },
          {
            "trust": 1.0,
            "url": "http://marc.info/?l=bugtraq\u0026m=141775427104070\u0026w=2"
          },
          {
            "trust": 1.0,
            "url": "http://marc.info/?l=bugtraq\u0026m=143290437727362\u0026w=2"
          },
          {
            "trust": 1.0,
            "url": "http://marc.info/?l=bugtraq\u0026m=141715130023061\u0026w=2"
          },
          {
            "trust": 1.0,
            "url": "http://marc.info/?l=bugtraq\u0026m=142350196615714\u0026w=2"
          },
          {
            "trust": 1.0,
            "url": "http://marc.info/?l=bugtraq\u0026m=145983526810210\u0026w=2"
          },
          {
            "trust": 1.0,
            "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=sb10090"
          },
          {
            "trust": 1.0,
            "url": "http://marc.info/?l=bugtraq\u0026m=142296755107581\u0026w=2"
          },
          {
            "trust": 1.0,
            "url": "http://marc.info/?l=bugtraq\u0026m=143558137709884\u0026w=2"
          },
          {
            "trust": 1.0,
            "url": "http://marc.info/?l=bugtraq\u0026m=143290583027876\u0026w=2"
          },
          {
            "trust": 1.0,
            "url": "http://marc.info/?l=bugtraq\u0026m=141814011518700\u0026w=2"
          },
          {
            "trust": 1.0,
            "url": "http://marc.info/?l=bugtraq\u0026m=142791032306609\u0026w=2"
          },
          {
            "trust": 1.0,
            "url": "http://marc.info/?l=bugtraq\u0026m=141694355519663\u0026w=2"
          },
          {
            "trust": 1.0,
            "url": "http://marc.info/?l=bugtraq\u0026m=141477196830952\u0026w=2"
          },
          {
            "trust": 1.0,
            "url": "http://marc.info/?l=bugtraq\u0026m=142350743917559\u0026w=2"
          },
          {
            "trust": 1.0,
            "url": "http://marc.info/?l=bugtraq\u0026m=141697676231104\u0026w=2"
          },
          {
            "trust": 1.0,
            "url": "http://marc.info/?l=bugtraq\u0026m=141577350823734\u0026w=2"
          },
          {
            "trust": 1.0,
            "url": "http://marc.info/?l=bugtraq\u0026m=142624679706236\u0026w=2"
          },
          {
            "trust": 1.0,
            "url": "http://marc.info/?l=bugtraq\u0026m=144101915224472\u0026w=2"
          },
          {
            "trust": 1.0,
            "url": "http://marc.info/?l=bugtraq\u0026m=142624619906067"
          },
          {
            "trust": 1.0,
            "url": "http://marc.info/?l=bugtraq\u0026m=143101048219218\u0026w=2"
          },
          {
            "trust": 1.0,
            "url": "http://marc.info/?l=bugtraq\u0026m=144294141001552\u0026w=2"
          },
          {
            "trust": 1.0,
            "url": "http://marc.info/?l=bugtraq\u0026m=144251162130364\u0026w=2"
          },
          {
            "trust": 1.0,
            "url": "http://marc.info/?l=bugtraq\u0026m=141620103726640\u0026w=2"
          },
          {
            "trust": 1.0,
            "url": "http://marc.info/?l=bugtraq\u0026m=142721887231400\u0026w=2"
          },
          {
            "trust": 1.0,
            "url": "http://marc.info/?l=bugtraq\u0026m=141450452204552\u0026w=2"
          },
          {
            "trust": 1.0,
            "url": "http://marc.info/?l=bugtraq\u0026m=142962817202793\u0026w=2"
          },
          {
            "trust": 1.0,
            "url": "http://marc.info/?l=bugtraq\u0026m=142354438527235\u0026w=2"
          },
          {
            "trust": 1.0,
            "url": "http://marc.info/?l=bugtraq\u0026m=142740155824959\u0026w=2"
          },
          {
            "trust": 1.0,
            "url": "https://templatelab.com/ssl-poodle/"
          },
          {
            "trust": 1.0,
            "url": "http://kb.juniper.net/infocenter/index?page=content\u0026id=jsa10705"
          },
          {
            "trust": 1.0,
            "url": "http://marc.info/?l=bugtraq\u0026m=142624619906067\u0026w=2"
          },
          {
            "trust": 1.0,
            "url": "http://marc.info/?l=bugtraq\u0026m=143628269912142\u0026w=2"
          },
          {
            "trust": 1.0,
            "url": "http://marc.info/?l=bugtraq\u0026m=143290522027658\u0026w=2"
          },
          {
            "trust": 1.0,
            "url": "http://marc.info/?l=bugtraq\u0026m=143290371927178\u0026w=2"
          },
          {
            "trust": 0.5,
            "url": "https://h20564.www2.hp.com/portal/site/hpsc/public/kb/"
          },
          {
            "trust": 0.5,
            "url": "https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secbullarchive/"
          },
          {
            "trust": 0.5,
            "url": "http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins"
          },
          {
            "trust": 0.2,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2014-3567"
          },
          {
            "trust": 0.2,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2014-3568"
          },
          {
            "trust": 0.2,
            "url": "https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_n"
          },
          {
            "trust": 0.2,
            "url": "http://www.hpe.com/support/security_bulletin_archive"
          },
          {
            "trust": 0.2,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2016-0800"
          },
          {
            "trust": 0.2,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2016-2842"
          },
          {
            "trust": 0.2,
            "url": "http://www.hpe.com/support/subscriber_choice"
          },
          {
            "trust": 0.2,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2016-0799"
          },
          {
            "trust": 0.1,
            "url": "http://marc.info/?l=bugtraq\u0026amp;m=141577350823734\u0026amp;w=2"
          },
          {
            "trust": 0.1,
            "url": "http://marc.info/?l=bugtraq\u0026amp;m=141576815022399\u0026amp;w=2"
          },
          {
            "trust": 0.1,
            "url": "http://marc.info/?l=bugtraq\u0026amp;m=141620103726640\u0026amp;w=2"
          },
          {
            "trust": 0.1,
            "url": "http://marc.info/?l=bugtraq\u0026amp;m=141697638231025\u0026amp;w=2"
          },
          {
            "trust": 0.1,
            "url": "http://marc.info/?l=bugtraq\u0026amp;m=141703183219781\u0026amp;w=2"
          },
          {
            "trust": 0.1,
            "url": "http://marc.info/?l=bugtraq\u0026amp;m=141697676231104\u0026amp;w=2"
          },
          {
            "trust": 0.1,
            "url": "http://marc.info/?l=bugtraq\u0026amp;m=141775427104070\u0026amp;w=2"
          },
          {
            "trust": 0.1,
            "url": "http://marc.info/?l=bugtraq\u0026amp;m=141814011518700\u0026amp;w=2"
          },
          {
            "trust": 0.1,
            "url": "http://marc.info/?l=bugtraq\u0026amp;m=141715130023061\u0026amp;w=2"
          },
          {
            "trust": 0.1,
            "url": "http://marc.info/?l=bugtraq\u0026amp;m=141813976718456\u0026amp;w=2"
          },
          {
            "trust": 0.1,
            "url": "http://marc.info/?l=bugtraq\u0026amp;m=142118135300698\u0026amp;w=2"
          },
          {
            "trust": 0.1,
            "url": "http://marc.info/?l=bugtraq\u0026amp;m=142296755107581\u0026amp;w=2"
          },
          {
            "trust": 0.1,
            "url": "http://marc.info/?l=bugtraq\u0026amp;m=142354438527235\u0026amp;w=2"
          },
          {
            "trust": 0.1,
            "url": "http://marc.info/?l=bugtraq\u0026amp;m=142350743917559\u0026amp;w=2"
          },
          {
            "trust": 0.1,
            "url": "http://marc.info/?l=bugtraq\u0026amp;m=142350196615714\u0026amp;w=2"
          },
          {
            "trust": 0.1,
            "url": "http://marc.info/?l=bugtraq\u0026amp;m=142350298616097\u0026amp;w=2"
          },
          {
            "trust": 0.1,
            "url": "http://marc.info/?l=bugtraq\u0026amp;m=142357976805598\u0026amp;w=2"
          },
          {
            "trust": 0.1,
            "url": "http://marc.info/?l=bugtraq\u0026amp;m=142962817202793\u0026amp;w=2"
          },
          {
            "trust": 0.1,
            "url": "http://marc.info/?l=bugtraq\u0026amp;m=143290371927178\u0026amp;w=2"
          },
          {
            "trust": 0.1,
            "url": "http://marc.info/?l=bugtraq\u0026amp;m=144294141001552\u0026amp;w=2"
          },
          {
            "trust": 0.1,
            "url": "http://marc.info/?l=bugtraq\u0026amp;m=145983526810210\u0026amp;w=2"
          },
          {
            "trust": 0.1,
            "url": "http://marc.info/?l=bugtraq\u0026amp;m=141450973807288\u0026amp;w=2"
          },
          {
            "trust": 0.1,
            "url": "http://marc.info/?l=bugtraq\u0026amp;m=142721887231400\u0026amp;w=2"
          },
          {
            "trust": 0.1,
            "url": "http://marc.info/?l=bugtraq\u0026amp;m=142660345230545\u0026amp;w=2"
          },
          {
            "trust": 0.1,
            "url": "http://marc.info/?l=bugtraq\u0026amp;m=142804214608580\u0026amp;w=2"
          },
          {
            "trust": 0.1,
            "url": "http://marc.info/?l=bugtraq\u0026amp;m=141450452204552\u0026amp;w=2"
          },
          {
            "trust": 0.1,
            "url": "http://marc.info/?l=bugtraq\u0026amp;m=141628688425177\u0026amp;w=2"
          },
          {
            "trust": 0.1,
            "url": "http://marc.info/?l=bugtraq\u0026amp;m=141577087123040\u0026amp;w=2"
          },
          {
            "trust": 0.1,
            "url": "http://marc.info/?l=bugtraq\u0026amp;m=141694355519663\u0026amp;w=2"
          },
          {
            "trust": 0.1,
            "url": "http://marc.info/?l=bugtraq\u0026amp;m=141879378918327\u0026amp;w=2"
          },
          {
            "trust": 0.1,
            "url": "http://marc.info/?l=bugtraq\u0026amp;m=143290583027876\u0026amp;w=2"
          },
          {
            "trust": 0.1,
            "url": "http://marc.info/?l=bugtraq\u0026amp;m=143628269912142\u0026amp;w=2"
          },
          {
            "trust": 0.1,
            "url": "http://marc.info/?l=bugtraq\u0026amp;m=143039249603103\u0026amp;w=2"
          },
          {
            "trust": 0.1,
            "url": "http://marc.info/?l=bugtraq\u0026amp;m=142624619906067\u0026amp;w=2"
          },
          {
            "trust": 0.1,
            "url": "http://marc.info/?l=bugtraq\u0026amp;m=142495837901899\u0026amp;w=2"
          },
          {
            "trust": 0.1,
            "url": "http://marc.info/?l=bugtraq\u0026amp;m=143290522027658\u0026amp;w=2"
          },
          {
            "trust": 0.1,
            "url": "http://marc.info/?l=bugtraq\u0026amp;m=142624719706349\u0026amp;w=2"
          },
          {
            "trust": 0.1,
            "url": "http://marc.info/?l=bugtraq\u0026amp;m=143290437727362\u0026amp;w=2"
          },
          {
            "trust": 0.1,
            "url": "http://marc.info/?l=bugtraq\u0026amp;m=142624590206005\u0026amp;w=2"
          },
          {
            "trust": 0.1,
            "url": "http://marc.info/?l=bugtraq\u0026amp;m=142624679706236\u0026amp;w=2"
          },
          {
            "trust": 0.1,
            "url": "http://marc.info/?l=bugtraq\u0026amp;m=142740155824959\u0026amp;w=2"
          },
          {
            "trust": 0.1,
            "url": "http://marc.info/?l=bugtraq\u0026amp;m=142721830231196\u0026amp;w=2"
          },
          {
            "trust": 0.1,
            "url": "http://marc.info/?l=bugtraq\u0026amp;m=142791032306609\u0026amp;w=2"
          },
          {
            "trust": 0.1,
            "url": "http://marc.info/?l=bugtraq\u0026amp;m=144101915224472\u0026amp;w=2"
          },
          {
            "trust": 0.1,
            "url": "http://marc.info/?l=bugtraq\u0026amp;m=142103967620673\u0026amp;w=2"
          },
          {
            "trust": 0.1,
            "url": "http://marc.info/?l=bugtraq\u0026amp;m=143558137709884\u0026amp;w=2"
          },
          {
            "trust": 0.1,
            "url": "http://marc.info/?l=bugtraq\u0026amp;m=143558192010071\u0026amp;w=2"
          },
          {
            "trust": 0.1,
            "url": "http://marc.info/?l=bugtraq\u0026amp;m=142805027510172\u0026amp;w=2"
          },
          {
            "trust": 0.1,
            "url": "http://marc.info/?l=bugtraq\u0026amp;m=142546741516006\u0026amp;w=2"
          },
          {
            "trust": 0.1,
            "url": "http://marc.info/?l=bugtraq\u0026amp;m=144251162130364\u0026amp;w=2"
          },
          {
            "trust": 0.1,
            "url": "http://marc.info/?l=bugtraq\u0026amp;m=141477196830952\u0026amp;w=2"
          },
          {
            "trust": 0.1,
            "url": "http://marc.info/?l=bugtraq\u0026amp;m=143101048219218\u0026amp;w=2"
          },
          {
            "trust": 0.1,
            "url": "http://marc.info/?l=bugtraq\u0026amp;m=142496355704097\u0026amp;w=2"
          },
          {
            "trust": 0.1,
            "url": "http://marc.info/?l=bugtraq\u0026amp;m=142624619906067"
          },
          {
            "trust": 0.1,
            "url": "http://marc.info/?l=bugtraq\u0026amp;m=142607790919348\u0026amp;w=2"
          },
          {
            "trust": 0.1,
            "url": "http://marc.info/?l=openssl-dev\u0026amp;m=141333049205629\u0026amp;w=2"
          },
          {
            "trust": 0.1,
            "url": "http://kb.juniper.net/infocenter/index?page=content\u0026amp;id=jsa10705"
          },
          {
            "trust": 0.1,
            "url": "https://kc.mcafee.com/corporate/index?page=content\u0026amp;id=sb10090"
          },
          {
            "trust": 0.1,
            "url": "https://kc.mcafee.com/corporate/index?page=content\u0026amp;id=sb10091"
          },
          {
            "trust": 0.1,
            "url": "https://kc.mcafee.com/corporate/index?page=content\u0026amp;id=sb10104"
          },
          {
            "trust": 0.1,
            "url": "https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00"
          },
          {
            "trust": 0.1,
            "url": "https://www.openssl.org/about/secpolicy.html"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2014-3513"
          },
          {
            "trust": 0.1,
            "url": "http://h20564.www2.hpe.com/hpsc/swd/public"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2015-3194"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2015-0705"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2008-5161"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2015-1789"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2015-5600"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2015-1791"
          },
          {
            "trust": 0.1,
            "url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2015-0412"
          },
          {
            "trust": 0.1,
            "url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2014-6549"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2015-0403"
          },
          {
            "trust": 0.1,
            "url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2015-0395"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2015-0407"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2015-0406"
          },
          {
            "trust": 0.1,
            "url": "https://security.gentoo.org/"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2014-6593"
          },
          {
            "trust": 0.1,
            "url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2015-0383"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2014-6585"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2014-6549"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2014-6587"
          },
          {
            "trust": 0.1,
            "url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2015-0413"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2014-6601"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2014-6591"
          },
          {
            "trust": 0.1,
            "url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2014-6585"
          },
          {
            "trust": 0.1,
            "url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2014-6591"
          },
          {
            "trust": 0.1,
            "url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2014-6593"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2015-0421"
          },
          {
            "trust": 0.1,
            "url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2014-6587"
          },
          {
            "trust": 0.1,
            "url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2015-0406"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2015-0410"
          },
          {
            "trust": 0.1,
            "url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2014-3566"
          },
          {
            "trust": 0.1,
            "url": "http://creativecommons.org/licenses/by-sa/2.5"
          },
          {
            "trust": 0.1,
            "url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2014-6601"
          },
          {
            "trust": 0.1,
            "url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2015-0403"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2015-0408"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2015-0412"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2015-0413"
          },
          {
            "trust": 0.1,
            "url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2015-0410"
          },
          {
            "trust": 0.1,
            "url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2015-0408"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2015-0400"
          },
          {
            "trust": 0.1,
            "url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2015-0400"
          },
          {
            "trust": 0.1,
            "url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2015-0407"
          },
          {
            "trust": 0.1,
            "url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2015-0421"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2015-0383"
          },
          {
            "trust": 0.1,
            "url": "https://bugs.gentoo.org."
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2015-0395"
          },
          {
            "trust": 0.1,
            "url": "https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facets"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/security/cve/cve-2014-6531"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/security/cve/cve-2014-6532"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2014-6511"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/security/updates/classification/#critical"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2014-6558"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/security/cve/cve-2014-6457"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2014-3065"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/security/cve/cve-2014-6493"
          },
          {
            "trust": 0.1,
            "url": "https://www.ibm.com/developerworks/java/jdk/alerts/"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/security/cve/cve-2014-4288"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/security/cve/cve-2014-6503"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2014-4288"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2014-6532"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/articles/11258"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2014-6457"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/security/cve/cve-2014-6512"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2014-6531"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/security/team/contact/"
          },
          {
            "trust": 0.1,
            "url": "https://www.redhat.com/mailman/listinfo/rhsa-announce"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/security/cve/cve-2014-3566"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/security/cve/cve-2014-6511"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/security/cve/cve-2014-3065"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/security/cve/cve-2014-6458"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2014-6527"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2014-6502"
          },
          {
            "trust": 0.1,
            "url": "https://bugzilla.redhat.com/):"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2014-6493"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2014-6503"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/security/cve/cve-2014-6492"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/security/cve/cve-2014-6502"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2014-6476"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2014-6506"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/security/cve/cve-2014-6558"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/security/cve/cve-2014-6476"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2014-6515"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/security/cve/cve-2014-6506"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/security/cve/cve-2014-6456"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/security/cve/cve-2014-6515"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/security/team/key/"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2014-6456"
          },
          {
            "trust": 0.1,
            "url": "https://access.redhat.com/security/cve/cve-2014-6527"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2014-6458"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2014-6492"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2014-6512"
          },
          {
            "trust": 0.1,
            "url": "https://www.hp.com/go/swa"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2016-0705"
          },
          {
            "trust": 0.1,
            "url": "https://www.hpe.com"
          },
          {
            "trust": 0.1,
            "url": "https://h20392.www2.hpe.com/"
          },
          {
            "trust": 0.1,
            "url": "http://www.hp.com/jp/icewall_patchaccess"
          },
          {
            "trust": 0.1,
            "url": "https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsea"
          },
          {
            "trust": 0.1,
            "url": "https://www.debian.org/security/"
          },
          {
            "trust": 0.1,
            "url": "https://www.debian.org/security/faq"
          }
        ],
        "sources": [
          {
            "db": "VULHUB",
            "id": "VHN-71506"
          },
          {
            "db": "PACKETSTORM",
            "id": "169664"
          },
          {
            "db": "PACKETSTORM",
            "id": "137294"
          },
          {
            "db": "PACKETSTORM",
            "id": "132641"
          },
          {
            "db": "PACKETSTORM",
            "id": "129266"
          },
          {
            "db": "PACKETSTORM",
            "id": "129178"
          },
          {
            "db": "PACKETSTORM",
            "id": "130334"
          },
          {
            "db": "PACKETSTORM",
            "id": "128921"
          },
          {
            "db": "PACKETSTORM",
            "id": "136577"
          },
          {
            "db": "PACKETSTORM",
            "id": "129071"
          },
          {
            "db": "PACKETSTORM",
            "id": "129065"
          },
          {
            "db": "PACKETSTORM",
            "id": "135908"
          },
          {
            "db": "NVD",
            "id": "CVE-2014-3566"
          }
        ]
      },
      "sources": {
        "_id": null,
        "data": [
          {
            "db": "VULHUB",
            "id": "VHN-71506",
            "ident": null
          },
          {
            "db": "VULMON",
            "id": "CVE-2014-3566",
            "ident": null
          },
          {
            "db": "BID",
            "id": "70574",
            "ident": null
          },
          {
            "db": "PACKETSTORM",
            "id": "169664",
            "ident": null
          },
          {
            "db": "PACKETSTORM",
            "id": "137294",
            "ident": null
          },
          {
            "db": "PACKETSTORM",
            "id": "132641",
            "ident": null
          },
          {
            "db": "PACKETSTORM",
            "id": "129266",
            "ident": null
          },
          {
            "db": "PACKETSTORM",
            "id": "129178",
            "ident": null
          },
          {
            "db": "PACKETSTORM",
            "id": "130334",
            "ident": null
          },
          {
            "db": "PACKETSTORM",
            "id": "128921",
            "ident": null
          },
          {
            "db": "PACKETSTORM",
            "id": "136577",
            "ident": null
          },
          {
            "db": "PACKETSTORM",
            "id": "129071",
            "ident": null
          },
          {
            "db": "PACKETSTORM",
            "id": "129065",
            "ident": null
          },
          {
            "db": "PACKETSTORM",
            "id": "135908",
            "ident": null
          },
          {
            "db": "NVD",
            "id": "CVE-2014-3566",
            "ident": null
          }
        ]
      },
      "sources_release_date": {
        "_id": null,
        "data": [
          {
            "date": "2014-10-15T00:00:00",
            "db": "VULHUB",
            "id": "VHN-71506",
            "ident": null
          },
          {
            "date": "2014-10-15T00:00:00",
            "db": "VULMON",
            "id": "CVE-2014-3566",
            "ident": null
          },
          {
            "date": "2014-10-14T00:00:00",
            "db": "BID",
            "id": "70574",
            "ident": null
          },
          {
            "date": "2014-10-15T12:12:12",
            "db": "PACKETSTORM",
            "id": "169664",
            "ident": null
          },
          {
            "date": "2016-06-02T16:22:00",
            "db": "PACKETSTORM",
            "id": "137294",
            "ident": null
          },
          {
            "date": "2015-07-10T15:43:42",
            "db": "PACKETSTORM",
            "id": "132641",
            "ident": null
          },
          {
            "date": "2014-11-26T15:08:22",
            "db": "PACKETSTORM",
            "id": "129266",
            "ident": null
          },
          {
            "date": "2014-11-20T16:18:57",
            "db": "PACKETSTORM",
            "id": "129178",
            "ident": null
          },
          {
            "date": "2015-02-10T17:43:07",
            "db": "PACKETSTORM",
            "id": "130334",
            "ident": null
          },
          {
            "date": "2014-10-31T23:08:29",
            "db": "PACKETSTORM",
            "id": "128921",
            "ident": null
          },
          {
            "date": "2016-04-06T13:28:14",
            "db": "PACKETSTORM",
            "id": "136577",
            "ident": null
          },
          {
            "date": "2014-11-12T18:14:00",
            "db": "PACKETSTORM",
            "id": "129071",
            "ident": null
          },
          {
            "date": "2014-11-12T18:13:12",
            "db": "PACKETSTORM",
            "id": "129065",
            "ident": null
          },
          {
            "date": "2016-02-24T23:59:00",
            "db": "PACKETSTORM",
            "id": "135908",
            "ident": null
          },
          {
            "date": "2014-10-15T00:55:02.137000",
            "db": "NVD",
            "id": "CVE-2014-3566",
            "ident": null
          }
        ]
      },
      "sources_update_date": {
        "_id": null,
        "data": [
          {
            "date": "2023-02-13T00:00:00",
            "db": "VULHUB",
            "id": "VHN-71506",
            "ident": null
          },
          {
            "date": "2023-09-12T00:00:00",
            "db": "VULMON",
            "id": "CVE-2014-3566",
            "ident": null
          },
          {
            "date": "2015-11-03T18:53:00",
            "db": "BID",
            "id": "70574",
            "ident": null
          },
          {
            "date": "2025-04-12T10:46:40.837000",
            "db": "NVD",
            "id": "CVE-2014-3566",
            "ident": null
          }
        ]
      },
      "threat_type": {
        "_id": null,
        "data": "network",
        "sources": [
          {
            "db": "BID",
            "id": "70574"
          }
        ],
        "trust": 0.3
      },
      "title": {
        "_id": null,
        "data": "OpenSSL CVE-2014-3566 Man In The Middle Information Disclosure Vulnerability",
        "sources": [
          {
            "db": "BID",
            "id": "70574"
          }
        ],
        "trust": 0.3
      },
      "type": {
        "_id": null,
        "data": "Design Error",
        "sources": [
          {
            "db": "BID",
            "id": "70574"
          }
        ],
        "trust": 0.3
      }
    }

    VAR-202112-2083

    Vulnerability from variot - Updated: 2025-11-18 14:43

    PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In affected versions if the incoming STUN message contains an ERROR-CODE attribute, the header length is not checked before performing a subtraction operation, potentially resulting in an integer underflow scenario. This issue affects all users that use STUN. A malicious actor located within the victim’s network may forge and send a specially crafted UDP (STUN) message that could remotely execute arbitrary code on the victim’s machine. Users are advised to upgrade as soon as possible. There are no known workarounds. PJSIP Exists in an integer underflow vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. ========================================================================== Ubuntu Security Notice USN-6422-2 October 24, 2023

    ring vulnerabilities

    A security issue affects these releases of Ubuntu and its derivatives:

    • Ubuntu 23.10

    Summary:

    Several security issues were fixed in Ring.

    Software Description: - ring: Secure and distributed voice, video, and chat platform

    Details:

    It was discovered that Ring incorrectly handled certain inputs. (CVE-2021-37706)

    It was discovered that Ring incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service. (CVE-2023-27585)

    Original advisory details:

    It was discovered that Ring incorrectly handled certain inputs. (CVE-2021-37706)

    It was discovered that Ring incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2021-43299, CVE-2021-43300, CVE-2021-43301, CVE-2021-43302, CVE-2021-43303, CVE-2021-43804, CVE-2021-43845, CVE-2022-21723, CVE-2022-23537, CVE-2022-23547, CVE-2022-23608, CVE-2022-24754, CVE-2022-24763, CVE-2022-24764, CVE-2022-24793, CVE-2022-31031, CVE-2022-39244)

    It was discovered that Ring incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 20.04 LTS. (CVE-2022-21722)

    It was discovered that Ring incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service. (CVE-2023-27585)

    Update instructions:

    The problem can be corrected by updating your system to the following package versions:

    Ubuntu 23.10: jami 20230206.0~ds2-1.3ubuntu0.1 jami-daemon 20230206.0~ds2-1.3ubuntu0.1

    In general, a standard system update will make all the necessary changes.

    References: https://ubuntu.com/security/notices/USN-6422-2 https://ubuntu.com/security/notices/USN-6422-1 CVE-2021-37706, CVE-2023-27585

    Package Information: https://launchpad.net/ubuntu/+source/ring/20230206.0~ds2-1.3ubuntu0.1

    . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202210-37


                                           https://security.gentoo.org/
    

    Severity: Normal Title: PJSIP: Multiple Vulnerabilities Date: October 31, 2022 Bugs: #803614, #829894, #875863 ID: 202210-37


    Synopsis

    Multiple vulnerabilities have been found in PJSIP, the worst of which could result in arbitrary code execution.

    Affected packages

    -------------------------------------------------------------------
     Package              /     Vulnerable     /            Unaffected
    -------------------------------------------------------------------
    

    1 net-libs/pjproject < 2.12.1 >= 2.12.1

    Description

    Multiple vulnerabilities have been discovered in PJSIP. Please review the CVE identifiers referenced below for details.

    Impact

    Please review the referenced CVE identifiers for details.

    Resolution

    All PJSIP users should upgrade to the latest version:

    # emerge --sync # emerge --ask --oneshot --verbose ">=net-libs/pjproject-2.12.1"

    References

    [ 1 ] CVE-2021-32686 https://nvd.nist.gov/vuln/detail/CVE-2021-32686 [ 2 ] CVE-2021-37706 https://nvd.nist.gov/vuln/detail/CVE-2021-37706 [ 3 ] CVE-2021-41141 https://nvd.nist.gov/vuln/detail/CVE-2021-41141 [ 4 ] CVE-2021-43804 https://nvd.nist.gov/vuln/detail/CVE-2021-43804 [ 5 ] CVE-2021-43845 https://nvd.nist.gov/vuln/detail/CVE-2021-43845 [ 6 ] CVE-2022-21722 https://nvd.nist.gov/vuln/detail/CVE-2022-21722 [ 7 ] CVE-2022-21723 https://nvd.nist.gov/vuln/detail/CVE-2022-21723 [ 8 ] CVE-2022-23608 https://nvd.nist.gov/vuln/detail/CVE-2022-23608 [ 9 ] CVE-2022-24754 https://nvd.nist.gov/vuln/detail/CVE-2022-24754 [ 10 ] CVE-2022-24763 https://nvd.nist.gov/vuln/detail/CVE-2022-24763 [ 11 ] CVE-2022-24764 https://nvd.nist.gov/vuln/detail/CVE-2022-24764 [ 12 ] CVE-2022-24786 https://nvd.nist.gov/vuln/detail/CVE-2022-24786 [ 13 ] CVE-2022-24792 https://nvd.nist.gov/vuln/detail/CVE-2022-24792 [ 14 ] CVE-2022-24793 https://nvd.nist.gov/vuln/detail/CVE-2022-24793 [ 15 ] CVE-2022-31031 https://nvd.nist.gov/vuln/detail/CVE-2022-31031 [ 16 ] CVE-2022-39244 https://nvd.nist.gov/vuln/detail/CVE-2022-39244 [ 17 ] CVE-2022-39269 https://nvd.nist.gov/vuln/detail/CVE-2022-39269

    Availability

    This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

    https://security.gentoo.org/glsa/202210-37

    Concerns?

    Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

    License

    Copyright 2022 Gentoo Foundation, Inc; referenced text belongs to its owner(s).

    The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.

    https://creativecommons.org/licenses/by-sa/2.5 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512


    Debian Security Advisory DSA-5285-1 security@debian.org https://www.debian.org/security/ Markus Koschany November 17, 2022 https://www.debian.org/security/faq


    Package : asterisk CVE ID : CVE-2021-37706 CVE-2021-43299 CVE-2021-43300 CVE-2021-43301 CVE-2021-43302 CVE-2021-43303 CVE-2021-43804 CVE-2021-43845 CVE-2021-46837 CVE-2022-21722 CVE-2022-21723 CVE-2022-23608 CVE-2022-24763 CVE-2022-24764 CVE-2022-24786 CVE-2022-24792 CVE-2022-24793 CVE-2022-26498 CVE-2022-26499 CVE-2022-26651 Debian Bug : 1014998 1018073 1014976

    Multiple security vulnerabilities have been found in Asterisk, an Open Source Private Branch Exchange. Buffer overflows and other programming errors could be exploited for information disclosure or the execution of arbitrary code.

    Special care should be taken when upgrading to this new upstream release. Some configuration files and options have changed in order to remedy certain security vulnerabilities. Most notably the pjsip TLS listener only accepts TLSv1.3 connections in the default configuration now. This can be reverted by adding method=tlsv1_2 to the transport in pjsip.conf. See also https://issues.asterisk.org/jira/browse/ASTERISK-29017.

    For the stable distribution (bullseye), these problems have been fixed in version 1:16.28.0~dfsg-0+deb11u1.

    We recommend that you upgrade your asterisk packages.

    For the detailed security status of asterisk please refer to its security tracker page at: https://security-tracker.debian.org/tracker/asterisk

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE-----

    iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmN2qoFfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeR0pQ/+Kr+FWFeFyrkFTyVv5BGBJug+EvZzzC2JZoI/TNsiAWQi/BZTQJ0pmdZr EHokqN7Z35EqZW6sj5aypdK7bOv4N+uv6P59xROk1KjEEG6XttGJ2BUvffWYWEXo k6+ou/yfAxU72Ufd1eOcMtjyGeN0CljmemIJ5Cywpnaw8YArP+VzRK2NEth0gCmJ TAfSvIPFaS7jB6fEg8KESOpmvtlqEJUh5sjP2t+OOEc3AoNBBuj4ZC44SQ1nif6k jEbmLFnJYQF8dP+IasZ3SY80N+BeuGiylZQ6w1ZvuYuUAK3jhHQ3CJvTQ4sEqNQV Zva6t0kHOEKVxKg412oEpQ0ihR+EBF/lnECu7iR2HTKk8xteNwio5qeeW/joTAJx OTYlHTtERTZIiaHdmV3nmGYgrTLeDHClilCnJrQuyXF+LVHjxBWDh7WS83zSrdIH gNP0eZ5UEjrpomf1yKqHVUsji63eSWACdFVXJLACMwpuevq8qgV6zASD+VuUd36r foEOKVj+FIHehWSef9pP48Na8bOn0EDVqtZEPOjE6o8Y8PjgSf7BSNogppZncldw VREox9NsxGM9hSVh3lVBWL8lT76HQVzXjfXXXoIEFDiGokNRV/dNTuhhb/mh0zxr VTKBboC6ijQVCdVQ7UdGFnoVXOWW2gy8sdam40ELBUCGDD5XI7A\xeajm -----END PGP SIGNATURE----- . Asterisk Project Security Advisory - AST-2022-004

         Product        Asterisk                                              
         Summary        pjproject: possible integer underflow on STUN         
                        message                                               
    Nature of Advisory  Arbitrary code execution                              
      Susceptibility    Remote unauthenticated sessions                       
         Severity       Major                                                 
      Exploits Known    Yes                                                   
       Reported On      March 3, 2022                                         
       Reported By      Sauw Ming                                             
        Posted On       March 4, 2022                                         
     Last Updated On    March 3, 2022                                         
     Advisory Contact   kharwell AT sangoma DOT com                           
         CVE Name       CVE-2021-37706
    
      Description     The header length on incoming STUN messages that        
                      contain an ERROR-CODE attribute is not properly         
                      checked. This can result in an integer underflow.       
                      Note, this requires ICE or WebRTC support to be in use  
                      with a malicious remote party.                          
    Modules Affected  bundled pjproject
    
    Resolution  If you use “with-pjproject-bundled” then upgrade to, or       
                install one of, the versions of Asterisk listed below.        
                Otherwise install the appropriate version of pjproject that   
                contains the patch.
    
                               Affected Versions
                Product              Release Series  
         Asterisk Open Source             16.x       All versions             
         Asterisk Open Source             18.x       All versions             
         Asterisk Open Source             19.x       All versions             
          Certified Asterisk              16.x       All versions
    
                                  Corrected In
                 Product                              Release                 
           Asterisk Open Source                16.24.1,18.10.1,19.2.1         
            Certified Asterisk                      16.8-cert13
    
                                    Patches                         
                              Patch URL                             Revision
    

    https://downloads.digium.com/pub/security/AST-2022-004-16.diff Asterisk
    16
    https://downloads.digium.com/pub/security/AST-2022-004-18.diff Asterisk
    18
    https://downloads.digium.com/pub/security/AST-2022-004-19.diff Asterisk
    19
    https://downloads.digium.com/pub/security/AST-2022-004-16.8.diff Certified Asterisk
    16.8

    Links https://issues.asterisk.org/jira/browse/ASTERISK-29945

      https://downloads.asterisk.org/pub/security/AST-2022-004.html
    
      https://github.com/pjsip/pjproject/security/advisories/GHSA-2qpg-f6wf-w984
    
    Asterisk Project Security Advisories are posted at                        
    http://www.asterisk.org/security
    
    This document may be superseded by later versions; if so, the latest      
    version will be posted at                                                 
    https://downloads.digium.com/pub/security/AST-2022-004.pdf and            
    https://downloads.digium.com/pub/security/AST-2022-004.html
    
                                Revision History
          Date                  Editor                 Revisions Made         
    March 3, 2022      Kevin Harwell             Initial revision
    
               Asterisk Project Security Advisory - AST-2022-004
               Copyright © 2022 Digium, Inc. All Rights Reserved.
    

    Permission is hereby granted to distribute and publish this advisory in its original, unaltered form

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-202112-2083",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "asterisk",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "sangoma",
            "version": "16.24.1"
          },
          {
            "model": "asterisk",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "sangoma",
            "version": "18.0.0"
          },
          {
            "model": "pjsip",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "teluu",
            "version": "2.11.1"
          },
          {
            "model": "asterisk",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "sangoma",
            "version": "18.10.1"
          },
          {
            "model": "asterisk",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "sangoma",
            "version": "19.2.1"
          },
          {
            "model": "certified asterisk",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "asterisk",
            "version": "16.8.0"
          },
          {
            "model": "asterisk",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "sangoma",
            "version": "19.0.0"
          },
          {
            "model": "asterisk",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "sangoma",
            "version": "16.0.0"
          },
          {
            "model": "linux",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "debian",
            "version": "9.0"
          },
          {
            "model": "linux",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "debian",
            "version": "10.0"
          },
          {
            "model": "certified asterisk",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "asterisk",
            "version": "16.8.0"
          },
          {
            "model": "gnu/linux",
            "scope": null,
            "trust": 0.8,
            "vendor": "debian",
            "version": null
          },
          {
            "model": "asterisk",
            "scope": null,
            "trust": 0.8,
            "vendor": "sangoma",
            "version": null
          },
          {
            "model": "certified asterisk",
            "scope": null,
            "trust": 0.8,
            "vendor": "asterisk",
            "version": null
          },
          {
            "model": "pjsip",
            "scope": null,
            "trust": 0.8,
            "vendor": "teluu",
            "version": null
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2021-016401"
          },
          {
            "db": "NVD",
            "id": "CVE-2021-37706"
          }
        ]
      },
      "credits": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/credits#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Ubuntu",
        "sources": [
          {
            "db": "PACKETSTORM",
            "id": "175315"
          },
          {
            "db": "PACKETSTORM",
            "id": "175025"
          }
        ],
        "trust": 0.2
      },
      "cve": "CVE-2021-37706",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [
              {
                "accessComplexity": "MEDIUM",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "nvd@nist.gov",
                "availabilityImpact": "COMPLETE",
                "baseScore": 9.3,
                "confidentialityImpact": "COMPLETE",
                "exploitabilityScore": 8.6,
                "id": "CVE-2021-37706",
                "impactScore": 10.0,
                "integrityImpact": "COMPLETE",
                "severity": "HIGH",
                "trust": 1.9,
                "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
                "version": "2.0"
              }
            ],
            "cvssV3": [
              {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "author": "nvd@nist.gov",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "exploitabilityScore": 3.9,
                "id": "CVE-2021-37706",
                "impactScore": 5.9,
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "trust": 1.0,
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "author": "security-advisories@github.com",
                "availabilityImpact": "LOW",
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "exploitabilityScore": 3.9,
                "id": "CVE-2021-37706",
                "impactScore": 3.4,
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "trust": 1.0,
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              },
              {
                "attackComplexity": "Low",
                "attackVector": "Network",
                "author": "NVD",
                "availabilityImpact": "High",
                "baseScore": 9.8,
                "baseSeverity": "Critical",
                "confidentialityImpact": "High",
                "exploitabilityScore": null,
                "id": "CVE-2021-37706",
                "impactScore": null,
                "integrityImpact": "High",
                "privilegesRequired": "None",
                "scope": "Unchanged",
                "trust": 0.8,
                "userInteraction": "None",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            ],
            "severity": [
              {
                "author": "nvd@nist.gov",
                "id": "CVE-2021-37706",
                "trust": 1.0,
                "value": "CRITICAL"
              },
              {
                "author": "security-advisories@github.com",
                "id": "CVE-2021-37706",
                "trust": 1.0,
                "value": "HIGH"
              },
              {
                "author": "NVD",
                "id": "CVE-2021-37706",
                "trust": 0.8,
                "value": "Critical"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-202112-2179",
                "trust": 0.6,
                "value": "CRITICAL"
              },
              {
                "author": "VULMON",
                "id": "CVE-2021-37706",
                "trust": 0.1,
                "value": "HIGH"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2021-37706"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202112-2179"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2021-016401"
          },
          {
            "db": "NVD",
            "id": "CVE-2021-37706"
          },
          {
            "db": "NVD",
            "id": "CVE-2021-37706"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In affected versions if the incoming STUN message contains an ERROR-CODE attribute, the header length is not checked before performing a subtraction operation, potentially resulting in an integer underflow scenario. This issue affects all users that use STUN. A malicious actor located within the victim\u2019s network may forge and send a specially crafted UDP (STUN) message that could remotely execute arbitrary code on the victim\u2019s machine. Users are advised to upgrade as soon as possible. There are no known workarounds. PJSIP Exists in an integer underflow vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. ==========================================================================\nUbuntu Security Notice USN-6422-2\nOctober 24, 2023\n\nring vulnerabilities\n==========================================================================\n\nA security issue affects these releases of Ubuntu and its derivatives:\n\n- Ubuntu 23.10\n\nSummary:\n\nSeveral security issues were fixed in Ring. \n\nSoftware Description:\n- ring: Secure and distributed voice, video, and chat platform\n\nDetails:\n\nIt was discovered that Ring incorrectly handled certain inputs. \n(CVE-2021-37706)\n\nIt was discovered that Ring incorrectly handled certain inputs. If a user or\nan automated system were tricked into opening a specially crafted input file,\na remote attacker could possibly use this issue to cause a denial of service. \n(CVE-2023-27585)\n\n\nOriginal advisory details:\n\n\n  It was discovered that Ring incorrectly handled certain inputs. \n  (CVE-2021-37706)\n\n  It was discovered that Ring incorrectly handled certain inputs. If a user or\n  an automated system were tricked into opening a specially crafted input file,\n  a remote attacker could possibly use this issue to cause a denial of service. \n  This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. \n  (CVE-2021-43299, CVE-2021-43300, CVE-2021-43301, CVE-2021-43302,\n  CVE-2021-43303, CVE-2021-43804, CVE-2021-43845, CVE-2022-21723,\n  CVE-2022-23537, CVE-2022-23547, CVE-2022-23608, CVE-2022-24754,\n  CVE-2022-24763, CVE-2022-24764, CVE-2022-24793, CVE-2022-31031,\n  CVE-2022-39244)\n\n  It was discovered that Ring incorrectly handled certain inputs. If a user or\n  an automated system were tricked into opening a specially crafted input file,\n  a remote attacker could possibly use this issue to cause a denial of service. \n  This issue only affected Ubuntu 20.04 LTS. (CVE-2022-21722)\n\n  It was discovered that Ring incorrectly handled certain inputs. If a user or\n  an automated system were tricked into opening a specially crafted input file,\n  a remote attacker could possibly use this issue to cause a denial of service. \n  (CVE-2023-27585)\n\nUpdate instructions:\n\nThe problem can be corrected by updating your system to the following\npackage versions:\n\nUbuntu 23.10:\n   jami                            20230206.0~ds2-1.3ubuntu0.1\n   jami-daemon                     20230206.0~ds2-1.3ubuntu0.1\n\nIn general, a standard system update will make all the necessary changes. \n\nReferences:\n   https://ubuntu.com/security/notices/USN-6422-2\n   https://ubuntu.com/security/notices/USN-6422-1\n   CVE-2021-37706, CVE-2023-27585\n\nPackage Information:\n   https://launchpad.net/ubuntu/+source/ring/20230206.0~ds2-1.3ubuntu0.1\n\n. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nGentoo Linux Security Advisory                           GLSA 202210-37\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n                                           https://security.gentoo.org/\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n Severity: Normal\n    Title: PJSIP: Multiple Vulnerabilities\n     Date: October 31, 2022\n     Bugs: #803614, #829894, #875863\n       ID: 202210-37\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\nSynopsis\n=======\nMultiple vulnerabilities have been found in PJSIP, the worst of which\ncould result in arbitrary code execution. \n\nAffected packages\n================\n    -------------------------------------------------------------------\n     Package              /     Vulnerable     /            Unaffected\n    -------------------------------------------------------------------\n  1  net-libs/pjproject         \u003c 2.12.1                    \u003e= 2.12.1\n\nDescription\n==========\nMultiple vulnerabilities have been discovered in PJSIP. Please review\nthe CVE identifiers referenced below for details. \n\nImpact\n=====\nPlease review the referenced CVE identifiers for details. \n\nResolution\n=========\nAll PJSIP users should upgrade to the latest version:\n\n  # emerge --sync\n  # emerge --ask --oneshot --verbose \"\u003e=net-libs/pjproject-2.12.1\"\n\nReferences\n=========\n[ 1 ] CVE-2021-32686\n      https://nvd.nist.gov/vuln/detail/CVE-2021-32686\n[ 2 ] CVE-2021-37706\n      https://nvd.nist.gov/vuln/detail/CVE-2021-37706\n[ 3 ] CVE-2021-41141\n      https://nvd.nist.gov/vuln/detail/CVE-2021-41141\n[ 4 ] CVE-2021-43804\n      https://nvd.nist.gov/vuln/detail/CVE-2021-43804\n[ 5 ] CVE-2021-43845\n      https://nvd.nist.gov/vuln/detail/CVE-2021-43845\n[ 6 ] CVE-2022-21722\n      https://nvd.nist.gov/vuln/detail/CVE-2022-21722\n[ 7 ] CVE-2022-21723\n      https://nvd.nist.gov/vuln/detail/CVE-2022-21723\n[ 8 ] CVE-2022-23608\n      https://nvd.nist.gov/vuln/detail/CVE-2022-23608\n[ 9 ] CVE-2022-24754\n      https://nvd.nist.gov/vuln/detail/CVE-2022-24754\n[ 10 ] CVE-2022-24763\n      https://nvd.nist.gov/vuln/detail/CVE-2022-24763\n[ 11 ] CVE-2022-24764\n      https://nvd.nist.gov/vuln/detail/CVE-2022-24764\n[ 12 ] CVE-2022-24786\n      https://nvd.nist.gov/vuln/detail/CVE-2022-24786\n[ 13 ] CVE-2022-24792\n      https://nvd.nist.gov/vuln/detail/CVE-2022-24792\n[ 14 ] CVE-2022-24793\n      https://nvd.nist.gov/vuln/detail/CVE-2022-24793\n[ 15 ] CVE-2022-31031\n      https://nvd.nist.gov/vuln/detail/CVE-2022-31031\n[ 16 ] CVE-2022-39244\n      https://nvd.nist.gov/vuln/detail/CVE-2022-39244\n[ 17 ] CVE-2022-39269\n      https://nvd.nist.gov/vuln/detail/CVE-2022-39269\n\nAvailability\n===========\nThis GLSA and any updates to it are available for viewing at\nthe Gentoo Security Website:\n\n https://security.gentoo.org/glsa/202210-37\n\nConcerns?\n========\nSecurity is a primary focus of Gentoo Linux and ensuring the\nconfidentiality and security of our users\u0027 machines is of utmost\nimportance to us. Any security concerns should be addressed to\nsecurity@gentoo.org or alternatively, you may file a bug at\nhttps://bugs.gentoo.org. \n\nLicense\n======\nCopyright 2022 Gentoo Foundation, Inc; referenced text\nbelongs to its owner(s). \n\nThe contents of this document are licensed under the\nCreative Commons - Attribution / Share Alike license. \n\nhttps://creativecommons.org/licenses/by-sa/2.5\n. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA512\n\n- -------------------------------------------------------------------------\nDebian Security Advisory DSA-5285-1                   security@debian.org\nhttps://www.debian.org/security/                          Markus Koschany\nNovember 17, 2022                     https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage        : asterisk\nCVE ID         : CVE-2021-37706 CVE-2021-43299 CVE-2021-43300 CVE-2021-43301\n                 CVE-2021-43302 CVE-2021-43303 CVE-2021-43804 CVE-2021-43845\n                 CVE-2021-46837 CVE-2022-21722 CVE-2022-21723 CVE-2022-23608\n                 CVE-2022-24763 CVE-2022-24764 CVE-2022-24786 CVE-2022-24792\n                 CVE-2022-24793 CVE-2022-26498 CVE-2022-26499 CVE-2022-26651\nDebian Bug     : 1014998 1018073 1014976\n\nMultiple security vulnerabilities have been found in Asterisk, an Open Source\nPrivate Branch Exchange. Buffer overflows and other programming errors could be\nexploited for information disclosure or the execution of arbitrary code. \n\nSpecial care should be taken when upgrading to this new upstream release. \nSome configuration files and options have changed in order to remedy\ncertain security vulnerabilities. Most notably the pjsip TLS listener only\naccepts TLSv1.3 connections in the default configuration now. This can be\nreverted by adding method=tlsv1_2 to the transport in pjsip.conf. See also\nhttps://issues.asterisk.org/jira/browse/ASTERISK-29017. \n\nFor the stable distribution (bullseye), these problems have been fixed in\nversion 1:16.28.0~dfsg-0+deb11u1. \n\nWe recommend that you upgrade your asterisk packages. \n\nFor the detailed security status of asterisk please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/asterisk\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n-----BEGIN PGP SIGNATURE-----\n\niQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmN2qoFfFIAAAAAALgAo\naXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD\nRjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7\nUeR0pQ/+Kr+FWFeFyrkFTyVv5BGBJug+EvZzzC2JZoI/TNsiAWQi/BZTQJ0pmdZr\nEHokqN7Z35EqZW6sj5aypdK7bOv4N+uv6P59xROk1KjEEG6XttGJ2BUvffWYWEXo\nk6+ou/yfAxU72Ufd1eOcMtjyGeN0CljmemIJ5Cywpnaw8YArP+VzRK2NEth0gCmJ\nTAfSvIPFaS7jB6fEg8KESOpmvtlqEJUh5sjP2t+OOEc3AoNBBuj4ZC44SQ1nif6k\njEbmLFnJYQF8dP+IasZ3SY80N+BeuGiylZQ6w1ZvuYuUAK3jhHQ3CJvTQ4sEqNQV\nZva6t0kHOEKVxKg412oEpQ0ihR+EBF/lnECu7iR2HTKk8xteNwio5qeeW/joTAJx\nOTYlHTtERTZIiaHdmV3nmGYgrTLeDHClilCnJrQuyXF+LVHjxBWDh7WS83zSrdIH\ngNP0eZ5UEjrpomf1yKqHVUsji63eSWACdFVXJLACMwpuevq8qgV6zASD+VuUd36r\nfoEOKVj+FIHehWSef9pP48Na8bOn0EDVqtZEPOjE6o8Y8PjgSf7BSNogppZncldw\nVREox9NsxGM9hSVh3lVBWL8lT76HQVzXjfXXXoIEFDiGokNRV/dNTuhhb/mh0zxr\nVTKBboC6ijQVCdVQ7UdGFnoVXOWW2gy8sdam40ELBUCGDD5XI7A\\xeajm\n-----END PGP SIGNATURE-----\n.                Asterisk Project Security Advisory - AST-2022-004\n\n         Product        Asterisk                                              \n         Summary        pjproject: possible integer underflow on STUN         \n                        message                                               \n    Nature of Advisory  Arbitrary code execution                              \n      Susceptibility    Remote unauthenticated sessions                       \n         Severity       Major                                                 \n      Exploits Known    Yes                                                   \n       Reported On      March 3, 2022                                         \n       Reported By      Sauw Ming                                             \n        Posted On       March 4, 2022                                         \n     Last Updated On    March 3, 2022                                         \n     Advisory Contact   kharwell AT sangoma DOT com                           \n         CVE Name       CVE-2021-37706                                        \n\n      Description     The header length on incoming STUN messages that        \n                      contain an ERROR-CODE attribute is not properly         \n                      checked. This can result in an integer underflow.       \n                      Note, this requires ICE or WebRTC support to be in use  \n                      with a malicious remote party.                          \n    Modules Affected  bundled pjproject                                       \n\n    Resolution  If you use \u201cwith-pjproject-bundled\u201d then upgrade to, or       \n                install one of, the versions of Asterisk listed below.        \n                Otherwise install the appropriate version of pjproject that   \n                contains the patch.                                           \n\n                               Affected Versions\n                Product              Release Series  \n         Asterisk Open Source             16.x       All versions             \n         Asterisk Open Source             18.x       All versions             \n         Asterisk Open Source             19.x       All versions             \n          Certified Asterisk              16.x       All versions             \n\n                                  Corrected In\n                 Product                              Release                 \n           Asterisk Open Source                16.24.1,18.10.1,19.2.1         \n            Certified Asterisk                      16.8-cert13               \n\n                                    Patches                         \n                              Patch URL                             Revision  \n   https://downloads.digium.com/pub/security/AST-2022-004-16.diff   Asterisk  \n                                                                    16        \n   https://downloads.digium.com/pub/security/AST-2022-004-18.diff   Asterisk  \n                                                                    18        \n   https://downloads.digium.com/pub/security/AST-2022-004-19.diff   Asterisk  \n                                                                    19        \n   https://downloads.digium.com/pub/security/AST-2022-004-16.8.diff Certified \n                                                                    Asterisk  \n                                                                    16.8      \n\nLinks https://issues.asterisk.org/jira/browse/ASTERISK-29945                     \n                                                                                 \n      https://downloads.asterisk.org/pub/security/AST-2022-004.html              \n                                                                                 \n      https://github.com/pjsip/pjproject/security/advisories/GHSA-2qpg-f6wf-w984 \n\n    Asterisk Project Security Advisories are posted at                        \n    http://www.asterisk.org/security                                          \n                                                                              \n    This document may be superseded by later versions; if so, the latest      \n    version will be posted at                                                 \n    https://downloads.digium.com/pub/security/AST-2022-004.pdf and            \n    https://downloads.digium.com/pub/security/AST-2022-004.html               \n\n                                Revision History\n          Date                  Editor                 Revisions Made         \n    March 3, 2022      Kevin Harwell             Initial revision             \n\n               Asterisk Project Security Advisory - AST-2022-004\n               Copyright \u00a9 2022 Digium, Inc. All Rights Reserved. \n  Permission is hereby granted to distribute and publish this advisory in its\n                           original, unaltered form",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2021-37706"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2021-016401"
          },
          {
            "db": "VULMON",
            "id": "CVE-2021-37706"
          },
          {
            "db": "PACKETSTORM",
            "id": "175315"
          },
          {
            "db": "PACKETSTORM",
            "id": "169618"
          },
          {
            "db": "PACKETSTORM",
            "id": "169938"
          },
          {
            "db": "PACKETSTORM",
            "id": "175025"
          },
          {
            "db": "PACKETSTORM",
            "id": "166225"
          }
        ],
        "trust": 2.16
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2021-37706",
            "trust": 3.8
          },
          {
            "db": "PACKETSTORM",
            "id": "166225",
            "trust": 1.8
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2021-016401",
            "trust": 0.8
          },
          {
            "db": "PACKETSTORM",
            "id": "169618",
            "trust": 0.7
          },
          {
            "db": "PACKETSTORM",
            "id": "169938",
            "trust": 0.7
          },
          {
            "db": "CS-HELP",
            "id": "SB2022022414",
            "trust": 0.6
          },
          {
            "db": "CS-HELP",
            "id": "SB2022030601",
            "trust": 0.6
          },
          {
            "db": "AUSCERT",
            "id": "ESB-2022.0941",
            "trust": 0.6
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202112-2179",
            "trust": 0.6
          },
          {
            "db": "VULMON",
            "id": "CVE-2021-37706",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "175315",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "175025",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2021-37706"
          },
          {
            "db": "PACKETSTORM",
            "id": "175315"
          },
          {
            "db": "PACKETSTORM",
            "id": "169618"
          },
          {
            "db": "PACKETSTORM",
            "id": "169938"
          },
          {
            "db": "PACKETSTORM",
            "id": "175025"
          },
          {
            "db": "PACKETSTORM",
            "id": "166225"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202112-2179"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2021-016401"
          },
          {
            "db": "NVD",
            "id": "CVE-2021-37706"
          }
        ]
      },
      "id": "VAR-202112-2083",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VARIoT devices database",
            "id": null
          }
        ],
        "trust": 0.348297215
      },
      "last_update_date": "2025-11-18T14:43:44.980000Z",
      "patch": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/patch#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "title": "Potential\u00a0integer\u00a0underflow\u00a0upon\u00a0receiving\u00a0STUN\u00a0message",
            "trust": 0.8,
            "url": "https://www.asterisk.org/"
          },
          {
            "title": "PJSIP Fixes for digital error vulnerabilities",
            "trust": 0.6,
            "url": "http://123.124.177.30/web/xxk/bdxqById.tag?id=176822"
          },
          {
            "title": "Debian CVElist Bug Report Logs: ring: CVE-2021-32686 CVE-2021-37706 CVE-2022-21723 CVE-2022-23608 CVE-2021-43299 CVE-2021-43300 CVE-2021-43301 CVE-2021-43302 CVE-2021-43303 CVE-2021-43804 CVE-2021-43845 CVE-2022-21722 CVE-2022-24754 CVE-2022-24763 CVE-2022-24764 CVE-2022-24793",
            "trust": 0.1,
            "url": "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs\u0026qid=4e89fc7b47aa12e94340b2e2db73b906"
          },
          {
            "title": "Debian Security Advisories: DSA-5285-1 asterisk -- security update",
            "trust": 0.1,
            "url": "https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories\u0026qid=edc2cf0db8c0593c65c4c82227026727"
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2021-37706"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202112-2179"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2021-016401"
          }
        ]
      },
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-191",
            "trust": 1.0
          },
          {
            "problemtype": "Integer underflow (CWE-191) [NVD evaluation ]",
            "trust": 0.8
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2021-016401"
          },
          {
            "db": "NVD",
            "id": "CVE-2021-37706"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 2.5,
            "url": "http://seclists.org/fulldisclosure/2022/mar/0"
          },
          {
            "trust": 2.3,
            "url": "http://packetstormsecurity.com/files/166225/asterisk-project-security-advisory-ast-2022-004.html"
          },
          {
            "trust": 1.9,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-37706"
          },
          {
            "trust": 1.8,
            "url": "https://github.com/pjsip/pjproject/security/advisories/ghsa-2qpg-f6wf-w984"
          },
          {
            "trust": 1.8,
            "url": "https://security.gentoo.org/glsa/202210-37"
          },
          {
            "trust": 1.8,
            "url": "https://www.debian.org/security/2022/dsa-5285"
          },
          {
            "trust": 1.7,
            "url": "https://github.com/pjsip/pjproject/commit/15663e3f37091069b8c98a7fce680dc04bc8e865"
          },
          {
            "trust": 1.7,
            "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html"
          },
          {
            "trust": 1.7,
            "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html"
          },
          {
            "trust": 1.0,
            "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html"
          },
          {
            "trust": 1.0,
            "url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00030.html"
          },
          {
            "trust": 0.6,
            "url": "https://packetstormsecurity.com/files/169618/gentoo-linux-security-advisory-202210-37.html"
          },
          {
            "trust": 0.6,
            "url": "https://packetstormsecurity.com/files/169938/debian-security-advisory-5285-1.html"
          },
          {
            "trust": 0.6,
            "url": "https://www.cybersecurity-help.cz/vdb/sb2022022414"
          },
          {
            "trust": 0.6,
            "url": "https://www.cybersecurity-help.cz/vdb/sb2022030601"
          },
          {
            "trust": 0.6,
            "url": "https://vigilance.fr/vulnerability/asterisk-integer-overflow-via-pjproject-stun-message-37712"
          },
          {
            "trust": 0.6,
            "url": "https://www.auscert.org.au/bulletins/esb-2022.0941"
          },
          {
            "trust": 0.4,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-21722"
          },
          {
            "trust": 0.4,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-24763"
          },
          {
            "trust": 0.3,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-43303"
          },
          {
            "trust": 0.3,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-39244"
          },
          {
            "trust": 0.3,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-43804"
          },
          {
            "trust": 0.3,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-23608"
          },
          {
            "trust": 0.3,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-24764"
          },
          {
            "trust": 0.2,
            "url": "https://ubuntu.com/security/notices/usn-6422-1"
          },
          {
            "trust": 0.2,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-23537"
          },
          {
            "trust": 0.2,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2023-27585"
          },
          {
            "trust": 0.2,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-24793"
          },
          {
            "trust": 0.2,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-43845"
          },
          {
            "trust": 0.2,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-21723"
          },
          {
            "trust": 0.2,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-43302"
          },
          {
            "trust": 0.1,
            "url": "https://cwe.mitre.org/data/definitions/191.html"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov"
          },
          {
            "trust": 0.1,
            "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014998"
          },
          {
            "trust": 0.1,
            "url": "https://launchpad.net/ubuntu/+source/ring/20230206.0~ds2-1.3ubuntu0.1"
          },
          {
            "trust": 0.1,
            "url": "https://ubuntu.com/security/notices/usn-6422-2"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-41141"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-24754"
          },
          {
            "trust": 0.1,
            "url": "https://creativecommons.org/licenses/by-sa/2.5"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-39269"
          },
          {
            "trust": 0.1,
            "url": "https://bugs.gentoo.org."
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-24786"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-24792"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-31031"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-32686"
          },
          {
            "trust": 0.1,
            "url": "https://security.gentoo.org/"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-43299"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-46837"
          },
          {
            "trust": 0.1,
            "url": "https://www.debian.org/security/faq"
          },
          {
            "trust": 0.1,
            "url": "https://www.debian.org/security/"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-43301"
          },
          {
            "trust": 0.1,
            "url": "https://issues.asterisk.org/jira/browse/asterisk-29017."
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-43300"
          },
          {
            "trust": 0.1,
            "url": "https://security-tracker.debian.org/tracker/asterisk"
          },
          {
            "trust": 0.1,
            "url": "https://launchpad.net/ubuntu/+source/ring/20190215.1.f152c98~ds1-1+deb10u2build0.20.04.1"
          },
          {
            "trust": 0.1,
            "url": "https://launchpad.net/ubuntu/+source/ring/20230206.0~ds1-5ubuntu0.1"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-23547"
          },
          {
            "trust": 0.1,
            "url": "https://downloads.digium.com/pub/security/ast-2022-004-16.diff"
          },
          {
            "trust": 0.1,
            "url": "https://downloads.digium.com/pub/security/ast-2022-004.pdf"
          },
          {
            "trust": 0.1,
            "url": "http://www.asterisk.org/security"
          },
          {
            "trust": 0.1,
            "url": "https://downloads.digium.com/pub/security/ast-2022-004-18.diff"
          },
          {
            "trust": 0.1,
            "url": "https://downloads.asterisk.org/pub/security/ast-2022-004.html"
          },
          {
            "trust": 0.1,
            "url": "https://issues.asterisk.org/jira/browse/asterisk-29945"
          },
          {
            "trust": 0.1,
            "url": "https://downloads.digium.com/pub/security/ast-2022-004.html"
          },
          {
            "trust": 0.1,
            "url": "https://downloads.digium.com/pub/security/ast-2022-004-19.diff"
          },
          {
            "trust": 0.1,
            "url": "https://downloads.digium.com/pub/security/ast-2022-004-16.8.diff"
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2021-37706"
          },
          {
            "db": "PACKETSTORM",
            "id": "175315"
          },
          {
            "db": "PACKETSTORM",
            "id": "169618"
          },
          {
            "db": "PACKETSTORM",
            "id": "169938"
          },
          {
            "db": "PACKETSTORM",
            "id": "175025"
          },
          {
            "db": "PACKETSTORM",
            "id": "166225"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202112-2179"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2021-016401"
          },
          {
            "db": "NVD",
            "id": "CVE-2021-37706"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "VULMON",
            "id": "CVE-2021-37706"
          },
          {
            "db": "PACKETSTORM",
            "id": "175315"
          },
          {
            "db": "PACKETSTORM",
            "id": "169618"
          },
          {
            "db": "PACKETSTORM",
            "id": "169938"
          },
          {
            "db": "PACKETSTORM",
            "id": "175025"
          },
          {
            "db": "PACKETSTORM",
            "id": "166225"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202112-2179"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2021-016401"
          },
          {
            "db": "NVD",
            "id": "CVE-2021-37706"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2021-12-22T00:00:00",
            "db": "VULMON",
            "id": "CVE-2021-37706"
          },
          {
            "date": "2023-10-24T16:01:47",
            "db": "PACKETSTORM",
            "id": "175315"
          },
          {
            "date": "2022-11-01T13:21:55",
            "db": "PACKETSTORM",
            "id": "169618"
          },
          {
            "date": "2022-11-18T14:28:10",
            "db": "PACKETSTORM",
            "id": "169938"
          },
          {
            "date": "2023-10-10T14:47:37",
            "db": "PACKETSTORM",
            "id": "175025"
          },
          {
            "date": "2022-03-07T16:25:13",
            "db": "PACKETSTORM",
            "id": "166225"
          },
          {
            "date": "2021-12-22T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202112-2179"
          },
          {
            "date": "2022-12-14T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2021-016401"
          },
          {
            "date": "2021-12-22T18:15:07.487000",
            "db": "NVD",
            "id": "CVE-2021-37706"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2022-11-18T00:00:00",
            "db": "VULMON",
            "id": "CVE-2021-37706"
          },
          {
            "date": "2022-11-21T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202112-2179"
          },
          {
            "date": "2022-12-14T05:31:00",
            "db": "JVNDB",
            "id": "JVNDB-2021-016401"
          },
          {
            "date": "2025-11-04T16:15:43.010000",
            "db": "NVD",
            "id": "CVE-2021-37706"
          }
        ]
      },
      "threat_type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "remote",
        "sources": [
          {
            "db": "PACKETSTORM",
            "id": "175315"
          },
          {
            "db": "PACKETSTORM",
            "id": "175025"
          },
          {
            "db": "PACKETSTORM",
            "id": "166225"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202112-2179"
          }
        ],
        "trust": 0.9
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "PJSIP\u00a0 Integer Underflow Vulnerability in",
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2021-016401"
          }
        ],
        "trust": 0.8
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "digital error",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202112-2179"
          }
        ],
        "trust": 0.6
      }
    }

    VAR-202201-0582

    Vulnerability from variot - Updated: 2025-11-18 13:57

    PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In versions 2.11.1 and prior, parsing an incoming SIP message that contains a malformed multipart can potentially cause out-of-bound read access. This issue affects all PJSIP users that accept SIP multipart. The patch is available as commit in the master branch. There are no known workarounds. PJSIP Exists in an out-of-bounds read vulnerability.Information is obtained and service operation is interrupted (DoS) It may be in a state. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202210-37


                                           https://security.gentoo.org/
    

    Severity: Normal Title: PJSIP: Multiple Vulnerabilities Date: October 31, 2022 Bugs: #803614, #829894, #875863 ID: 202210-37


    Synopsis

    Multiple vulnerabilities have been found in PJSIP, the worst of which could result in arbitrary code execution.

    Affected packages

    -------------------------------------------------------------------
     Package              /     Vulnerable     /            Unaffected
    -------------------------------------------------------------------
    

    1 net-libs/pjproject < 2.12.1 >= 2.12.1

    Description

    Multiple vulnerabilities have been discovered in PJSIP. Please review the CVE identifiers referenced below for details.

    Impact

    Please review the referenced CVE identifiers for details.

    Resolution

    All PJSIP users should upgrade to the latest version:

    # emerge --sync # emerge --ask --oneshot --verbose ">=net-libs/pjproject-2.12.1"

    References

    [ 1 ] CVE-2021-32686 https://nvd.nist.gov/vuln/detail/CVE-2021-32686 [ 2 ] CVE-2021-37706 https://nvd.nist.gov/vuln/detail/CVE-2021-37706 [ 3 ] CVE-2021-41141 https://nvd.nist.gov/vuln/detail/CVE-2021-41141 [ 4 ] CVE-2021-43804 https://nvd.nist.gov/vuln/detail/CVE-2021-43804 [ 5 ] CVE-2021-43845 https://nvd.nist.gov/vuln/detail/CVE-2021-43845 [ 6 ] CVE-2022-21722 https://nvd.nist.gov/vuln/detail/CVE-2022-21722 [ 7 ] CVE-2022-21723 https://nvd.nist.gov/vuln/detail/CVE-2022-21723 [ 8 ] CVE-2022-23608 https://nvd.nist.gov/vuln/detail/CVE-2022-23608 [ 9 ] CVE-2022-24754 https://nvd.nist.gov/vuln/detail/CVE-2022-24754 [ 10 ] CVE-2022-24763 https://nvd.nist.gov/vuln/detail/CVE-2022-24763 [ 11 ] CVE-2022-24764 https://nvd.nist.gov/vuln/detail/CVE-2022-24764 [ 12 ] CVE-2022-24786 https://nvd.nist.gov/vuln/detail/CVE-2022-24786 [ 13 ] CVE-2022-24792 https://nvd.nist.gov/vuln/detail/CVE-2022-24792 [ 14 ] CVE-2022-24793 https://nvd.nist.gov/vuln/detail/CVE-2022-24793 [ 15 ] CVE-2022-31031 https://nvd.nist.gov/vuln/detail/CVE-2022-31031 [ 16 ] CVE-2022-39244 https://nvd.nist.gov/vuln/detail/CVE-2022-39244 [ 17 ] CVE-2022-39269 https://nvd.nist.gov/vuln/detail/CVE-2022-39269

    Availability

    This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

    https://security.gentoo.org/glsa/202210-37

    Concerns?

    Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

    License

    Copyright 2022 Gentoo Foundation, Inc; referenced text belongs to its owner(s).

    The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.

    https://creativecommons.org/licenses/by-sa/2.5 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512


    Debian Security Advisory DSA-5285-1 security@debian.org https://www.debian.org/security/ Markus Koschany November 17, 2022 https://www.debian.org/security/faq


    Package : asterisk CVE ID : CVE-2021-37706 CVE-2021-43299 CVE-2021-43300 CVE-2021-43301 CVE-2021-43302 CVE-2021-43303 CVE-2021-43804 CVE-2021-43845 CVE-2021-46837 CVE-2022-21722 CVE-2022-21723 CVE-2022-23608 CVE-2022-24763 CVE-2022-24764 CVE-2022-24786 CVE-2022-24792 CVE-2022-24793 CVE-2022-26498 CVE-2022-26499 CVE-2022-26651 Debian Bug : 1014998 1018073 1014976

    Multiple security vulnerabilities have been found in Asterisk, an Open Source Private Branch Exchange. Buffer overflows and other programming errors could be exploited for information disclosure or the execution of arbitrary code.

    Special care should be taken when upgrading to this new upstream release. Some configuration files and options have changed in order to remedy certain security vulnerabilities. Most notably the pjsip TLS listener only accepts TLSv1.3 connections in the default configuration now. This can be reverted by adding method=tlsv1_2 to the transport in pjsip.conf. See also https://issues.asterisk.org/jira/browse/ASTERISK-29017.

    For the stable distribution (bullseye), these problems have been fixed in version 1:16.28.0~dfsg-0+deb11u1.

    We recommend that you upgrade your asterisk packages.

    For the detailed security status of asterisk please refer to its security tracker page at: https://security-tracker.debian.org/tracker/asterisk

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE-----

    iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmN2qoFfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeR0pQ/+Kr+FWFeFyrkFTyVv5BGBJug+EvZzzC2JZoI/TNsiAWQi/BZTQJ0pmdZr EHokqN7Z35EqZW6sj5aypdK7bOv4N+uv6P59xROk1KjEEG6XttGJ2BUvffWYWEXo k6+ou/yfAxU72Ufd1eOcMtjyGeN0CljmemIJ5Cywpnaw8YArP+VzRK2NEth0gCmJ TAfSvIPFaS7jB6fEg8KESOpmvtlqEJUh5sjP2t+OOEc3AoNBBuj4ZC44SQ1nif6k jEbmLFnJYQF8dP+IasZ3SY80N+BeuGiylZQ6w1ZvuYuUAK3jhHQ3CJvTQ4sEqNQV Zva6t0kHOEKVxKg412oEpQ0ihR+EBF/lnECu7iR2HTKk8xteNwio5qeeW/joTAJx OTYlHTtERTZIiaHdmV3nmGYgrTLeDHClilCnJrQuyXF+LVHjxBWDh7WS83zSrdIH gNP0eZ5UEjrpomf1yKqHVUsji63eSWACdFVXJLACMwpuevq8qgV6zASD+VuUd36r foEOKVj+FIHehWSef9pP48Na8bOn0EDVqtZEPOjE6o8Y8PjgSf7BSNogppZncldw VREox9NsxGM9hSVh3lVBWL8lT76HQVzXjfXXXoIEFDiGokNRV/dNTuhhb/mh0zxr VTKBboC6ijQVCdVQ7UdGFnoVXOWW2gy8sdam40ELBUCGDD5XI7A\xeajm -----END PGP SIGNATURE----- . Asterisk Project Security Advisory - AST-2022-006

         Product        Asterisk                                              
         Summary        pjproject: unconstrained malformed multipart SIP      
                        message                                               
    Nature of Advisory  Out of bounds memory access                           
      Susceptibility    Remote unauthenticated sessions                       
         Severity       Minor                                                 
      Exploits Known    Yes                                                   
       Reported On      March 3, 2022                                         
       Reported By      Sauw Ming                                             
        Posted On       March 4, 2022                                         
     Last Updated On    March 3, 2022                                         
     Advisory Contact   kharwell AT sangoma DOT com                           
         CVE Name       CVE-2022-21723
    
      Description     If an incoming SIP message contains a malformed         
                      multi-part body an out of bounds read access may        
                      occur, which can result in undefined behavior. Note,    
                      it’s currently uncertain if there is any externally     
                      exploitable vector within Asterisk for this issue, but  
                      providing this as a security issue out of caution.      
    Modules Affected  bundled pjproject
    
    Resolution  If you use “with-pjproject-bundled” then upgrade to, or       
                install one of, the versions of Asterisk listed below.        
                Otherwise install the appropriate version of pjproject that   
                contains the patch.
    
                               Affected Versions
                Product              Release Series  
         Asterisk Open Source             16.x       All versions             
         Asterisk Open Source             18.x       All versions             
         Asterisk Open Source             19.x       All versions             
          Certified Asterisk              16.x       All versions
    
                                  Corrected In
                 Product                              Release                 
           Asterisk Open Source                16.24.1,18.10.1,19.2.1         
            Certified Asterisk                      16.8-cert13
    
                                    Patches                         
                              Patch URL                             Revision
    

    https://downloads.digium.com/pub/security/AST-2022-006-16.diff Asterisk
    16
    https://downloads.digium.com/pub/security/AST-2022-006-18.diff Asterisk
    18
    https://downloads.digium.com/pub/security/AST-2022-006-19.diff Asterisk
    19
    https://downloads.digium.com/pub/security/AST-2022-006-16.8.diff Certified Asterisk
    16.8

    Links https://issues.asterisk.org/jira/browse/ASTERISK-29945

      https://downloads.asterisk.org/pub/security/AST-2022-006.html
    
      https://github.com/pjsip/pjproject/security/advisories/GHSA-7fw8-54cv-r7pm
    
    Asterisk Project Security Advisories are posted at                        
    http://www.asterisk.org/security
    
    This document may be superseded by later versions; if so, the latest      
    version will be posted at                                                 
    https://downloads.digium.com/pub/security/AST-2022-006.pdf and            
    https://downloads.digium.com/pub/security/AST-2022-006.html
    
                                Revision History
          Date                  Editor                 Revisions Made         
    March 3, 2022      Kevin Harwell             Initial revision
    
               Asterisk Project Security Advisory - AST-2022-006
               Copyright © 2022 Digium, Inc. All Rights Reserved.
    

    Permission is hereby granted to distribute and publish this advisory in its original, unaltered form

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-202201-0582",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "asterisk",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "sangoma",
            "version": "16.24.1"
          },
          {
            "model": "asterisk",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "sangoma",
            "version": "18.0.0"
          },
          {
            "model": "pjsip",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "teluu",
            "version": "2.11.1"
          },
          {
            "model": "asterisk",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "sangoma",
            "version": "18.10.1"
          },
          {
            "model": "asterisk",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "sangoma",
            "version": "19.2.1"
          },
          {
            "model": "asterisk",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "sangoma",
            "version": "19.0.0"
          },
          {
            "model": "asterisk",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "sangoma",
            "version": "16.0.0"
          },
          {
            "model": "linux",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "debian",
            "version": "9.0"
          },
          {
            "model": "linux",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "debian",
            "version": "10.0"
          },
          {
            "model": "certified asterisk",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "asterisk",
            "version": "16.8.0"
          },
          {
            "model": "gnu/linux",
            "scope": null,
            "trust": 0.8,
            "vendor": "debian",
            "version": null
          },
          {
            "model": "certified asterisk",
            "scope": null,
            "trust": 0.8,
            "vendor": "asterisk",
            "version": null
          },
          {
            "model": "pjsip",
            "scope": "lte",
            "trust": 0.8,
            "vendor": "teluu",
            "version": "2.11.1  and earlier"
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-004350"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-21723"
          }
        ]
      },
      "credits": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/credits#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Gentoo",
        "sources": [
          {
            "db": "PACKETSTORM",
            "id": "169618"
          }
        ],
        "trust": 0.1
      },
      "cve": "CVE-2022-21723",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [
              {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "nvd@nist.gov",
                "availabilityImpact": "PARTIAL",
                "baseScore": 6.4,
                "confidentialityImpact": "PARTIAL",
                "exploitabilityScore": 10.0,
                "id": "CVE-2022-21723",
                "impactScore": 4.9,
                "integrityImpact": "NONE",
                "severity": "MEDIUM",
                "trust": 1.9,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
                "version": "2.0"
              }
            ],
            "cvssV3": [
              {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "author": "nvd@nist.gov",
                "availabilityImpact": "HIGH",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "exploitabilityScore": 3.9,
                "id": "CVE-2022-21723",
                "impactScore": 5.2,
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "trust": 2.0,
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
                "version": "3.1"
              },
              {
                "attackComplexity": "Low",
                "attackVector": "Network",
                "author": "OTHER",
                "availabilityImpact": "High",
                "baseScore": 9.1,
                "baseSeverity": "Critical",
                "confidentialityImpact": "High",
                "exploitabilityScore": null,
                "id": "JVNDB-2022-004350",
                "impactScore": null,
                "integrityImpact": "None",
                "privilegesRequired": "None",
                "scope": "Unchanged",
                "trust": 0.8,
                "userInteraction": "None",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
                "version": "3.0"
              }
            ],
            "severity": [
              {
                "author": "nvd@nist.gov",
                "id": "CVE-2022-21723",
                "trust": 1.0,
                "value": "CRITICAL"
              },
              {
                "author": "security-advisories@github.com",
                "id": "CVE-2022-21723",
                "trust": 1.0,
                "value": "CRITICAL"
              },
              {
                "author": "NVD",
                "id": "CVE-2022-21723",
                "trust": 0.8,
                "value": "Critical"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-202201-2496",
                "trust": 0.6,
                "value": "CRITICAL"
              },
              {
                "author": "VULMON",
                "id": "CVE-2022-21723",
                "trust": 0.1,
                "value": "MEDIUM"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2022-21723"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202201-2496"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-004350"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-21723"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-21723"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In versions 2.11.1 and prior, parsing an incoming SIP message that contains a malformed multipart can potentially cause out-of-bound read access. This issue affects all PJSIP users that accept SIP multipart. The patch is available as commit in the `master` branch. There are no known workarounds. PJSIP Exists in an out-of-bounds read vulnerability.Information is obtained and service operation is interrupted (DoS) It may be in a state. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nGentoo Linux Security Advisory                           GLSA 202210-37\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n                                           https://security.gentoo.org/\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n Severity: Normal\n    Title: PJSIP: Multiple Vulnerabilities\n     Date: October 31, 2022\n     Bugs: #803614, #829894, #875863\n       ID: 202210-37\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\nSynopsis\n=======\nMultiple vulnerabilities have been found in PJSIP, the worst of which\ncould result in arbitrary code execution. \n\nAffected packages\n================\n    -------------------------------------------------------------------\n     Package              /     Vulnerable     /            Unaffected\n    -------------------------------------------------------------------\n  1  net-libs/pjproject         \u003c 2.12.1                    \u003e= 2.12.1\n\nDescription\n==========\nMultiple vulnerabilities have been discovered in PJSIP. Please review\nthe CVE identifiers referenced below for details. \n\nImpact\n=====\nPlease review the referenced CVE identifiers for details. \n\nResolution\n=========\nAll PJSIP users should upgrade to the latest version:\n\n  # emerge --sync\n  # emerge --ask --oneshot --verbose \"\u003e=net-libs/pjproject-2.12.1\"\n\nReferences\n=========\n[ 1 ] CVE-2021-32686\n      https://nvd.nist.gov/vuln/detail/CVE-2021-32686\n[ 2 ] CVE-2021-37706\n      https://nvd.nist.gov/vuln/detail/CVE-2021-37706\n[ 3 ] CVE-2021-41141\n      https://nvd.nist.gov/vuln/detail/CVE-2021-41141\n[ 4 ] CVE-2021-43804\n      https://nvd.nist.gov/vuln/detail/CVE-2021-43804\n[ 5 ] CVE-2021-43845\n      https://nvd.nist.gov/vuln/detail/CVE-2021-43845\n[ 6 ] CVE-2022-21722\n      https://nvd.nist.gov/vuln/detail/CVE-2022-21722\n[ 7 ] CVE-2022-21723\n      https://nvd.nist.gov/vuln/detail/CVE-2022-21723\n[ 8 ] CVE-2022-23608\n      https://nvd.nist.gov/vuln/detail/CVE-2022-23608\n[ 9 ] CVE-2022-24754\n      https://nvd.nist.gov/vuln/detail/CVE-2022-24754\n[ 10 ] CVE-2022-24763\n      https://nvd.nist.gov/vuln/detail/CVE-2022-24763\n[ 11 ] CVE-2022-24764\n      https://nvd.nist.gov/vuln/detail/CVE-2022-24764\n[ 12 ] CVE-2022-24786\n      https://nvd.nist.gov/vuln/detail/CVE-2022-24786\n[ 13 ] CVE-2022-24792\n      https://nvd.nist.gov/vuln/detail/CVE-2022-24792\n[ 14 ] CVE-2022-24793\n      https://nvd.nist.gov/vuln/detail/CVE-2022-24793\n[ 15 ] CVE-2022-31031\n      https://nvd.nist.gov/vuln/detail/CVE-2022-31031\n[ 16 ] CVE-2022-39244\n      https://nvd.nist.gov/vuln/detail/CVE-2022-39244\n[ 17 ] CVE-2022-39269\n      https://nvd.nist.gov/vuln/detail/CVE-2022-39269\n\nAvailability\n===========\nThis GLSA and any updates to it are available for viewing at\nthe Gentoo Security Website:\n\n https://security.gentoo.org/glsa/202210-37\n\nConcerns?\n========\nSecurity is a primary focus of Gentoo Linux and ensuring the\nconfidentiality and security of our users\u0027 machines is of utmost\nimportance to us. Any security concerns should be addressed to\nsecurity@gentoo.org or alternatively, you may file a bug at\nhttps://bugs.gentoo.org. \n\nLicense\n======\nCopyright 2022 Gentoo Foundation, Inc; referenced text\nbelongs to its owner(s). \n\nThe contents of this document are licensed under the\nCreative Commons - Attribution / Share Alike license. \n\nhttps://creativecommons.org/licenses/by-sa/2.5\n. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA512\n\n- -------------------------------------------------------------------------\nDebian Security Advisory DSA-5285-1                   security@debian.org\nhttps://www.debian.org/security/                          Markus Koschany\nNovember 17, 2022                     https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage        : asterisk\nCVE ID         : CVE-2021-37706 CVE-2021-43299 CVE-2021-43300 CVE-2021-43301\n                 CVE-2021-43302 CVE-2021-43303 CVE-2021-43804 CVE-2021-43845\n                 CVE-2021-46837 CVE-2022-21722 CVE-2022-21723 CVE-2022-23608\n                 CVE-2022-24763 CVE-2022-24764 CVE-2022-24786 CVE-2022-24792\n                 CVE-2022-24793 CVE-2022-26498 CVE-2022-26499 CVE-2022-26651\nDebian Bug     : 1014998 1018073 1014976\n\nMultiple security vulnerabilities have been found in Asterisk, an Open Source\nPrivate Branch Exchange. Buffer overflows and other programming errors could be\nexploited for information disclosure or the execution of arbitrary code. \n\nSpecial care should be taken when upgrading to this new upstream release. \nSome configuration files and options have changed in order to remedy\ncertain security vulnerabilities. Most notably the pjsip TLS listener only\naccepts TLSv1.3 connections in the default configuration now. This can be\nreverted by adding method=tlsv1_2 to the transport in pjsip.conf. See also\nhttps://issues.asterisk.org/jira/browse/ASTERISK-29017. \n\nFor the stable distribution (bullseye), these problems have been fixed in\nversion 1:16.28.0~dfsg-0+deb11u1. \n\nWe recommend that you upgrade your asterisk packages. \n\nFor the detailed security status of asterisk please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/asterisk\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n-----BEGIN PGP SIGNATURE-----\n\niQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmN2qoFfFIAAAAAALgAo\naXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD\nRjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7\nUeR0pQ/+Kr+FWFeFyrkFTyVv5BGBJug+EvZzzC2JZoI/TNsiAWQi/BZTQJ0pmdZr\nEHokqN7Z35EqZW6sj5aypdK7bOv4N+uv6P59xROk1KjEEG6XttGJ2BUvffWYWEXo\nk6+ou/yfAxU72Ufd1eOcMtjyGeN0CljmemIJ5Cywpnaw8YArP+VzRK2NEth0gCmJ\nTAfSvIPFaS7jB6fEg8KESOpmvtlqEJUh5sjP2t+OOEc3AoNBBuj4ZC44SQ1nif6k\njEbmLFnJYQF8dP+IasZ3SY80N+BeuGiylZQ6w1ZvuYuUAK3jhHQ3CJvTQ4sEqNQV\nZva6t0kHOEKVxKg412oEpQ0ihR+EBF/lnECu7iR2HTKk8xteNwio5qeeW/joTAJx\nOTYlHTtERTZIiaHdmV3nmGYgrTLeDHClilCnJrQuyXF+LVHjxBWDh7WS83zSrdIH\ngNP0eZ5UEjrpomf1yKqHVUsji63eSWACdFVXJLACMwpuevq8qgV6zASD+VuUd36r\nfoEOKVj+FIHehWSef9pP48Na8bOn0EDVqtZEPOjE6o8Y8PjgSf7BSNogppZncldw\nVREox9NsxGM9hSVh3lVBWL8lT76HQVzXjfXXXoIEFDiGokNRV/dNTuhhb/mh0zxr\nVTKBboC6ijQVCdVQ7UdGFnoVXOWW2gy8sdam40ELBUCGDD5XI7A\\xeajm\n-----END PGP SIGNATURE-----\n.                Asterisk Project Security Advisory - AST-2022-006\n\n         Product        Asterisk                                              \n         Summary        pjproject: unconstrained malformed multipart SIP      \n                        message                                               \n    Nature of Advisory  Out of bounds memory access                           \n      Susceptibility    Remote unauthenticated sessions                       \n         Severity       Minor                                                 \n      Exploits Known    Yes                                                   \n       Reported On      March 3, 2022                                         \n       Reported By      Sauw Ming                                             \n        Posted On       March 4, 2022                                         \n     Last Updated On    March 3, 2022                                         \n     Advisory Contact   kharwell AT sangoma DOT com                           \n         CVE Name       CVE-2022-21723                                        \n\n      Description     If an incoming SIP message contains a malformed         \n                      multi-part body an out of bounds read access may        \n                      occur, which can result in undefined behavior. Note,    \n                      it\u2019s currently uncertain if there is any externally     \n                      exploitable vector within Asterisk for this issue, but  \n                      providing this as a security issue out of caution.      \n    Modules Affected  bundled pjproject                                       \n\n    Resolution  If you use \u201cwith-pjproject-bundled\u201d then upgrade to, or       \n                install one of, the versions of Asterisk listed below.        \n                Otherwise install the appropriate version of pjproject that   \n                contains the patch.                                           \n\n                               Affected Versions\n                Product              Release Series  \n         Asterisk Open Source             16.x       All versions             \n         Asterisk Open Source             18.x       All versions             \n         Asterisk Open Source             19.x       All versions             \n          Certified Asterisk              16.x       All versions             \n\n                                  Corrected In\n                 Product                              Release                 \n           Asterisk Open Source                16.24.1,18.10.1,19.2.1         \n            Certified Asterisk                      16.8-cert13               \n\n                                    Patches                         \n                              Patch URL                             Revision  \n   https://downloads.digium.com/pub/security/AST-2022-006-16.diff   Asterisk  \n                                                                    16        \n   https://downloads.digium.com/pub/security/AST-2022-006-18.diff   Asterisk  \n                                                                    18        \n   https://downloads.digium.com/pub/security/AST-2022-006-19.diff   Asterisk  \n                                                                    19        \n   https://downloads.digium.com/pub/security/AST-2022-006-16.8.diff Certified \n                                                                    Asterisk  \n                                                                    16.8      \n\nLinks https://issues.asterisk.org/jira/browse/ASTERISK-29945                     \n                                                                                 \n      https://downloads.asterisk.org/pub/security/AST-2022-006.html              \n                                                                                 \n      https://github.com/pjsip/pjproject/security/advisories/GHSA-7fw8-54cv-r7pm \n\n    Asterisk Project Security Advisories are posted at                        \n    http://www.asterisk.org/security                                          \n                                                                              \n    This document may be superseded by later versions; if so, the latest      \n    version will be posted at                                                 \n    https://downloads.digium.com/pub/security/AST-2022-006.pdf and            \n    https://downloads.digium.com/pub/security/AST-2022-006.html               \n\n                                Revision History\n          Date                  Editor                 Revisions Made         \n    March 3, 2022      Kevin Harwell             Initial revision             \n\n               Asterisk Project Security Advisory - AST-2022-006\n               Copyright \u00a9 2022 Digium, Inc. All Rights Reserved. \n  Permission is hereby granted to distribute and publish this advisory in its\n                           original, unaltered form",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2022-21723"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-004350"
          },
          {
            "db": "VULMON",
            "id": "CVE-2022-21723"
          },
          {
            "db": "PACKETSTORM",
            "id": "169618"
          },
          {
            "db": "PACKETSTORM",
            "id": "169938"
          },
          {
            "db": "PACKETSTORM",
            "id": "166227"
          }
        ],
        "trust": 1.98
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2022-21723",
            "trust": 3.6
          },
          {
            "db": "PACKETSTORM",
            "id": "166227",
            "trust": 1.8
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-004350",
            "trust": 0.8
          },
          {
            "db": "PACKETSTORM",
            "id": "169618",
            "trust": 0.7
          },
          {
            "db": "PACKETSTORM",
            "id": "169938",
            "trust": 0.7
          },
          {
            "db": "CS-HELP",
            "id": "SB2022022414",
            "trust": 0.6
          },
          {
            "db": "CS-HELP",
            "id": "SB2022030601",
            "trust": 0.6
          },
          {
            "db": "AUSCERT",
            "id": "ESB-2022.0943",
            "trust": 0.6
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202201-2496",
            "trust": 0.6
          },
          {
            "db": "VULMON",
            "id": "CVE-2022-21723",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2022-21723"
          },
          {
            "db": "PACKETSTORM",
            "id": "169618"
          },
          {
            "db": "PACKETSTORM",
            "id": "169938"
          },
          {
            "db": "PACKETSTORM",
            "id": "166227"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202201-2496"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-004350"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-21723"
          }
        ]
      },
      "id": "VAR-202201-0582",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VARIoT devices database",
            "id": null
          }
        ],
        "trust": 0.348297215
      },
      "last_update_date": "2025-11-18T13:57:30.498000Z",
      "patch": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/patch#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "title": "Merge\u00a0pull\u00a0request\u00a0from\u00a0GHSA-7fw8-54cv-r7pm GitHub",
            "trust": 0.8,
            "url": "https://www.asterisk.org/products/software/certified-asterisk/"
          },
          {
            "title": "PJSIP Buffer error vulnerability fix",
            "trust": 0.6,
            "url": "http://123.124.177.30/web/xxk/bdxqById.tag?id=179686"
          },
          {
            "title": "Debian CVElist Bug Report Logs: ring: CVE-2021-32686 CVE-2021-37706 CVE-2022-21723 CVE-2022-23608 CVE-2021-43299 CVE-2021-43300 CVE-2021-43301 CVE-2021-43302 CVE-2021-43303 CVE-2021-43804 CVE-2021-43845 CVE-2022-21722 CVE-2022-24754 CVE-2022-24763 CVE-2022-24764 CVE-2022-24793",
            "trust": 0.1,
            "url": "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs\u0026qid=4e89fc7b47aa12e94340b2e2db73b906"
          },
          {
            "title": "Debian Security Advisories: DSA-5285-1 asterisk -- security update",
            "trust": 0.1,
            "url": "https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories\u0026qid=edc2cf0db8c0593c65c4c82227026727"
          },
          {
            "title": "CVE-2022-XXXX",
            "trust": 0.1,
            "url": "https://github.com/AlphabugX/CVE-2022-23305 "
          },
          {
            "title": "CVE-2022-XXXX",
            "trust": 0.1,
            "url": "https://github.com/AlphabugX/CVE-2022-RCE "
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2022-21723"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202201-2496"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-004350"
          }
        ]
      },
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-125",
            "trust": 1.0
          },
          {
            "problemtype": "Out-of-bounds read (CWE-125) [NVD evaluation ]",
            "trust": 0.8
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-004350"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-21723"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 2.5,
            "url": "http://seclists.org/fulldisclosure/2022/mar/2"
          },
          {
            "trust": 2.3,
            "url": "http://packetstormsecurity.com/files/166227/asterisk-project-security-advisory-ast-2022-006.html"
          },
          {
            "trust": 1.8,
            "url": "https://github.com/pjsip/pjproject/security/advisories/ghsa-7fw8-54cv-r7pm"
          },
          {
            "trust": 1.8,
            "url": "https://security.gentoo.org/glsa/202210-37"
          },
          {
            "trust": 1.8,
            "url": "https://www.debian.org/security/2022/dsa-5285"
          },
          {
            "trust": 1.7,
            "url": "https://github.com/pjsip/pjproject/commit/077b465c33f0aec05a49cd2ca456f9a1b112e896"
          },
          {
            "trust": 1.7,
            "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html"
          },
          {
            "trust": 1.7,
            "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html"
          },
          {
            "trust": 1.7,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-21723"
          },
          {
            "trust": 1.1,
            "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html"
          },
          {
            "trust": 1.0,
            "url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00030.html"
          },
          {
            "trust": 0.6,
            "url": "https://packetstormsecurity.com/files/169618/gentoo-linux-security-advisory-202210-37.html"
          },
          {
            "trust": 0.6,
            "url": "https://www.auscert.org.au/bulletins/esb-2022.0943"
          },
          {
            "trust": 0.6,
            "url": "https://packetstormsecurity.com/files/169938/debian-security-advisory-5285-1.html"
          },
          {
            "trust": 0.6,
            "url": "https://www.cybersecurity-help.cz/vdb/sb2022022414"
          },
          {
            "trust": 0.6,
            "url": "https://vigilance.fr/vulnerability/asterisk-out-of-bounds-memory-reading-via-pjproject-multipart-sip-message-37714"
          },
          {
            "trust": 0.6,
            "url": "https://www.cybersecurity-help.cz/vdb/sb2022030601"
          },
          {
            "trust": 0.2,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-43804"
          },
          {
            "trust": 0.2,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-23608"
          },
          {
            "trust": 0.2,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-43845"
          },
          {
            "trust": 0.2,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-24764"
          },
          {
            "trust": 0.2,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-21722"
          },
          {
            "trust": 0.2,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-37706"
          },
          {
            "trust": 0.2,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-24763"
          },
          {
            "trust": 0.1,
            "url": "https://cwe.mitre.org/data/definitions/125.html"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov"
          },
          {
            "trust": 0.1,
            "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014998"
          },
          {
            "trust": 0.1,
            "url": "https://github.com/alphabugx/cve-2022-23305"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-24793"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-39244"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-41141"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-24754"
          },
          {
            "trust": 0.1,
            "url": "https://creativecommons.org/licenses/by-sa/2.5"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-39269"
          },
          {
            "trust": 0.1,
            "url": "https://bugs.gentoo.org."
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-24786"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-24792"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-31031"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-32686"
          },
          {
            "trust": 0.1,
            "url": "https://security.gentoo.org/"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-43299"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-43303"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-46837"
          },
          {
            "trust": 0.1,
            "url": "https://www.debian.org/security/faq"
          },
          {
            "trust": 0.1,
            "url": "https://www.debian.org/security/"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-43301"
          },
          {
            "trust": 0.1,
            "url": "https://issues.asterisk.org/jira/browse/asterisk-29017."
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-43300"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-43302"
          },
          {
            "trust": 0.1,
            "url": "https://security-tracker.debian.org/tracker/asterisk"
          },
          {
            "trust": 0.1,
            "url": "https://downloads.digium.com/pub/security/ast-2022-006.html"
          },
          {
            "trust": 0.1,
            "url": "http://www.asterisk.org/security"
          },
          {
            "trust": 0.1,
            "url": "https://downloads.digium.com/pub/security/ast-2022-006.pdf"
          },
          {
            "trust": 0.1,
            "url": "https://downloads.asterisk.org/pub/security/ast-2022-006.html"
          },
          {
            "trust": 0.1,
            "url": "https://issues.asterisk.org/jira/browse/asterisk-29945"
          },
          {
            "trust": 0.1,
            "url": "https://downloads.digium.com/pub/security/ast-2022-006-19.diff"
          },
          {
            "trust": 0.1,
            "url": "https://downloads.digium.com/pub/security/ast-2022-006-16.8.diff"
          },
          {
            "trust": 0.1,
            "url": "https://downloads.digium.com/pub/security/ast-2022-006-16.diff"
          },
          {
            "trust": 0.1,
            "url": "https://downloads.digium.com/pub/security/ast-2022-006-18.diff"
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2022-21723"
          },
          {
            "db": "PACKETSTORM",
            "id": "169618"
          },
          {
            "db": "PACKETSTORM",
            "id": "169938"
          },
          {
            "db": "PACKETSTORM",
            "id": "166227"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202201-2496"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-004350"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-21723"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "VULMON",
            "id": "CVE-2022-21723"
          },
          {
            "db": "PACKETSTORM",
            "id": "169618"
          },
          {
            "db": "PACKETSTORM",
            "id": "169938"
          },
          {
            "db": "PACKETSTORM",
            "id": "166227"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202201-2496"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-004350"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-21723"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2022-01-27T00:00:00",
            "db": "VULMON",
            "id": "CVE-2022-21723"
          },
          {
            "date": "2022-11-01T13:21:55",
            "db": "PACKETSTORM",
            "id": "169618"
          },
          {
            "date": "2022-11-18T14:28:10",
            "db": "PACKETSTORM",
            "id": "169938"
          },
          {
            "date": "2022-03-07T16:29:41",
            "db": "PACKETSTORM",
            "id": "166227"
          },
          {
            "date": "2022-01-26T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202201-2496"
          },
          {
            "date": "2023-04-10T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2022-004350"
          },
          {
            "date": "2022-01-27T00:15:07.737000",
            "db": "NVD",
            "id": "CVE-2022-21723"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2023-08-30T00:00:00",
            "db": "VULMON",
            "id": "CVE-2022-21723"
          },
          {
            "date": "2022-11-21T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202201-2496"
          },
          {
            "date": "2023-04-10T01:24:00",
            "db": "JVNDB",
            "id": "JVNDB-2022-004350"
          },
          {
            "date": "2025-11-04T16:15:46.583000",
            "db": "NVD",
            "id": "CVE-2022-21723"
          }
        ]
      },
      "threat_type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "remote",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202201-2496"
          }
        ],
        "trust": 0.6
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "PJSIP\u00a0 Out-of-bounds read vulnerability in",
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-004350"
          }
        ],
        "trust": 0.8
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "buffer error",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202201-2496"
          }
        ],
        "trust": 0.6
      }
    }

    VAR-202202-0167

    Vulnerability from variot - Updated: 2025-11-18 12:34

    PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In versions up to and including 2.11.1 when in a dialog set (or forking) scenario, a hash key shared by multiple UAC dialogs can potentially be prematurely freed when one of the dialogs is destroyed . The issue may cause a dialog set to be registered in the hash table multiple times (with different hash keys) leading to undefined behavior such as dialog list collision which eventually leading to endless loop. A patch is available in commit db3235953baa56d2fb0e276ca510fefca751643f which will be included in the next release. There are no known workarounds for this issue. Teluu Ltd. of PJSIP Products from multiple other vendors contain vulnerabilities related to use of freed memory.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202210-37


                                           https://security.gentoo.org/
    

    Severity: Normal Title: PJSIP: Multiple Vulnerabilities Date: October 31, 2022 Bugs: #803614, #829894, #875863 ID: 202210-37


    Synopsis

    Multiple vulnerabilities have been found in PJSIP, the worst of which could result in arbitrary code execution.

    Affected packages

    -------------------------------------------------------------------
     Package              /     Vulnerable     /            Unaffected
    -------------------------------------------------------------------
    

    1 net-libs/pjproject < 2.12.1 >= 2.12.1

    Description

    Multiple vulnerabilities have been discovered in PJSIP. Please review the CVE identifiers referenced below for details.

    Impact

    Please review the referenced CVE identifiers for details.

    Resolution

    All PJSIP users should upgrade to the latest version:

    # emerge --sync # emerge --ask --oneshot --verbose ">=net-libs/pjproject-2.12.1"

    References

    [ 1 ] CVE-2021-32686 https://nvd.nist.gov/vuln/detail/CVE-2021-32686 [ 2 ] CVE-2021-37706 https://nvd.nist.gov/vuln/detail/CVE-2021-37706 [ 3 ] CVE-2021-41141 https://nvd.nist.gov/vuln/detail/CVE-2021-41141 [ 4 ] CVE-2021-43804 https://nvd.nist.gov/vuln/detail/CVE-2021-43804 [ 5 ] CVE-2021-43845 https://nvd.nist.gov/vuln/detail/CVE-2021-43845 [ 6 ] CVE-2022-21722 https://nvd.nist.gov/vuln/detail/CVE-2022-21722 [ 7 ] CVE-2022-21723 https://nvd.nist.gov/vuln/detail/CVE-2022-21723 [ 8 ] CVE-2022-23608 https://nvd.nist.gov/vuln/detail/CVE-2022-23608 [ 9 ] CVE-2022-24754 https://nvd.nist.gov/vuln/detail/CVE-2022-24754 [ 10 ] CVE-2022-24763 https://nvd.nist.gov/vuln/detail/CVE-2022-24763 [ 11 ] CVE-2022-24764 https://nvd.nist.gov/vuln/detail/CVE-2022-24764 [ 12 ] CVE-2022-24786 https://nvd.nist.gov/vuln/detail/CVE-2022-24786 [ 13 ] CVE-2022-24792 https://nvd.nist.gov/vuln/detail/CVE-2022-24792 [ 14 ] CVE-2022-24793 https://nvd.nist.gov/vuln/detail/CVE-2022-24793 [ 15 ] CVE-2022-31031 https://nvd.nist.gov/vuln/detail/CVE-2022-31031 [ 16 ] CVE-2022-39244 https://nvd.nist.gov/vuln/detail/CVE-2022-39244 [ 17 ] CVE-2022-39269 https://nvd.nist.gov/vuln/detail/CVE-2022-39269

    Availability

    This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

    https://security.gentoo.org/glsa/202210-37

    Concerns?

    Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

    License

    Copyright 2022 Gentoo Foundation, Inc; referenced text belongs to its owner(s).

    The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.

    https://creativecommons.org/licenses/by-sa/2.5 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512


    Debian Security Advisory DSA-5285-1 security@debian.org https://www.debian.org/security/ Markus Koschany November 17, 2022 https://www.debian.org/security/faq


    Package : asterisk CVE ID : CVE-2021-37706 CVE-2021-43299 CVE-2021-43300 CVE-2021-43301 CVE-2021-43302 CVE-2021-43303 CVE-2021-43804 CVE-2021-43845 CVE-2021-46837 CVE-2022-21722 CVE-2022-21723 CVE-2022-23608 CVE-2022-24763 CVE-2022-24764 CVE-2022-24786 CVE-2022-24792 CVE-2022-24793 CVE-2022-26498 CVE-2022-26499 CVE-2022-26651 Debian Bug : 1014998 1018073 1014976

    Multiple security vulnerabilities have been found in Asterisk, an Open Source Private Branch Exchange. Buffer overflows and other programming errors could be exploited for information disclosure or the execution of arbitrary code.

    Special care should be taken when upgrading to this new upstream release. Some configuration files and options have changed in order to remedy certain security vulnerabilities. Most notably the pjsip TLS listener only accepts TLSv1.3 connections in the default configuration now. This can be reverted by adding method=tlsv1_2 to the transport in pjsip.conf. See also https://issues.asterisk.org/jira/browse/ASTERISK-29017.

    For the stable distribution (bullseye), these problems have been fixed in version 1:16.28.0~dfsg-0+deb11u1.

    We recommend that you upgrade your asterisk packages.

    For the detailed security status of asterisk please refer to its security tracker page at: https://security-tracker.debian.org/tracker/asterisk

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE-----

    iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmN2qoFfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeR0pQ/+Kr+FWFeFyrkFTyVv5BGBJug+EvZzzC2JZoI/TNsiAWQi/BZTQJ0pmdZr EHokqN7Z35EqZW6sj5aypdK7bOv4N+uv6P59xROk1KjEEG6XttGJ2BUvffWYWEXo k6+ou/yfAxU72Ufd1eOcMtjyGeN0CljmemIJ5Cywpnaw8YArP+VzRK2NEth0gCmJ TAfSvIPFaS7jB6fEg8KESOpmvtlqEJUh5sjP2t+OOEc3AoNBBuj4ZC44SQ1nif6k jEbmLFnJYQF8dP+IasZ3SY80N+BeuGiylZQ6w1ZvuYuUAK3jhHQ3CJvTQ4sEqNQV Zva6t0kHOEKVxKg412oEpQ0ihR+EBF/lnECu7iR2HTKk8xteNwio5qeeW/joTAJx OTYlHTtERTZIiaHdmV3nmGYgrTLeDHClilCnJrQuyXF+LVHjxBWDh7WS83zSrdIH gNP0eZ5UEjrpomf1yKqHVUsji63eSWACdFVXJLACMwpuevq8qgV6zASD+VuUd36r foEOKVj+FIHehWSef9pP48Na8bOn0EDVqtZEPOjE6o8Y8PjgSf7BSNogppZncldw VREox9NsxGM9hSVh3lVBWL8lT76HQVzXjfXXXoIEFDiGokNRV/dNTuhhb/mh0zxr VTKBboC6ijQVCdVQ7UdGFnoVXOWW2gy8sdam40ELBUCGDD5XI7A\xeajm -----END PGP SIGNATURE----- . ========================================================================== Ubuntu Security Notice USN-6422-1 October 09, 2023

    ring vulnerabilities

    A security issue affects these releases of Ubuntu and its derivatives:

    • Ubuntu 23.04
    • Ubuntu 20.04 LTS
    • Ubuntu 18.04 LTS (Available with Ubuntu Pro)

    Summary:

    Several security issues were fixed in Ring.

    Software Description: - ring: Secure and distributed voice, video, and chat platform

    Details:

    It was discovered that Ring incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to execute arbitrary code. (CVE-2021-37706)

    It was discovered that Ring incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2021-43299, CVE-2021-43300, CVE-2021-43301, CVE-2021-43302, CVE-2021-43303, CVE-2021-43804, CVE-2021-43845, CVE-2022-21723, CVE-2022-23537, CVE-2022-23547, CVE-2022-23608, CVE-2022-24754, CVE-2022-24763, CVE-2022-24764, CVE-2022-24793, CVE-2022-31031, CVE-2022-39244)

    It was discovered that Ring incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 20.04 LTS. (CVE-2022-21722)

    It was discovered that Ring incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service. (CVE-2023-27585)

    Update instructions:

    The problem can be corrected by updating your system to the following package versions:

    Ubuntu 23.04: jami 20230206.0~ds1-5ubuntu0.1 jami-daemon 20230206.0~ds1-5ubuntu0.1

    Ubuntu 20.04 LTS: jami 20190215.1.f152c98~ds1-1+deb10u2build0.20.04.1 jami-daemon 20190215.1.f152c98~ds1-1+deb10u2build0.20.04.1 ring 20190215.1.f152c98~ds1-1+deb10u2build0.20.04.1 ring-daemon 20190215.1.f152c98~ds1-1+deb10u2build0.20.04.1

    Ubuntu 18.04 LTS (Available with Ubuntu Pro): ring 20180228.1.503da2b~ds1-1ubuntu0.1~esm1 ring-daemon 20180228.1.503da2b~ds1-1ubuntu0.1~esm1

    In general, a standard system update will make all the necessary changes.

    References: https://ubuntu.com/security/notices/USN-6422-1 CVE-2021-37706, CVE-2021-43299, CVE-2021-43300, CVE-2021-43301, CVE-2021-43302, CVE-2021-43303, CVE-2021-43804, CVE-2021-43845, CVE-2022-21722, CVE-2022-21723, CVE-2022-23537, CVE-2022-23547, CVE-2022-23608, CVE-2022-24754, CVE-2022-24763, CVE-2022-24764, CVE-2022-24793, CVE-2022-31031, CVE-2022-39244, CVE-2023-27585

    Package Information: https://launchpad.net/ubuntu/+source/ring/20230206.0~ds1-5ubuntu0.1

    https://launchpad.net/ubuntu/+source/ring/20190215.1.f152c98~ds1-1+deb10u2build0.20.04.1

    . Asterisk Project Security Advisory - AST-2022-005

         Product        Asterisk                                              
         Summary        pjproject: undefined behavior after freeing a dialog  
                        set                                                   
    Nature of Advisory  Denial of service                                     
      Susceptibility    Remote unauthenticated sessions                       
         Severity       Major                                                 
      Exploits Known    Yes                                                   
       Reported On      March 3, 2022                                         
       Reported By      Sauw Ming                                             
        Posted On       March 4, 2022                                         
     Last Updated On    March 3, 2022                                         
     Advisory Contact   kharwell AT sangoma DOT com                           
         CVE Name       CVE-2022-23608
    
      Description     When acting as a UAC, and when placing an outgoing      
                      call to a target that then forks Asterisk may           
                      experience undefined behavior (crashes, hangs, etc…)    
                      after a dialog set is prematurely freed.                
    Modules Affected  bundled pjproject
    
    Resolution  If you use “with-pjproject-bundled” then upgrade to, or       
                install one of, the versions of Asterisk listed below.        
                Otherwise install the appropriate version of pjproject that   
                contains the patch.
    
                               Affected Versions
                Product              Release Series  
         Asterisk Open Source             16.x       All versions             
         Asterisk Open Source             18.x       All versions             
         Asterisk Open Source             19.x       All versions             
          Certified Asterisk              16.x       All versions
    
                                  Corrected In
                 Product                              Release                 
           Asterisk Open Source                16.24.1,18.10.1,19.2.1         
            Certified Asterisk                      16.8-cert13
    
                                    Patches                         
                              Patch URL                             Revision
    

    https://downloads.digium.com/pub/security/AST-2022-005-16.diff Asterisk
    16
    https://downloads.digium.com/pub/security/AST-2022-005-18.diff Asterisk
    18
    https://downloads.digium.com/pub/security/AST-2022-005-19.diff Asterisk
    19
    https://downloads.digium.com/pub/security/AST-2022-005-16.8.diff Certified Asterisk
    16.8

    Links https://issues.asterisk.org/jira/browse/ASTERISK-29945

      https://downloads.asterisk.org/pub/security/AST-2022-005.html
    
      https://github.com/pjsip/pjproject/security/advisories/GHSA-ffff-m5fm-qm62
    
    Asterisk Project Security Advisories are posted at                        
    http://www.asterisk.org/security
    
    This document may be superseded by later versions; if so, the latest      
    version will be posted at                                                 
    https://downloads.digium.com/pub/security/AST-2022-005.pdf and            
    https://downloads.digium.com/pub/security/AST-2022-005.html
    
                                Revision History
          Date                  Editor                 Revisions Made         
    March 3, 2022      Kevin Harwell             Initial revision
    
               Asterisk Project Security Advisory - AST-2022-005
               Copyright © 2022 Digium, Inc. All Rights Reserved.
    

    Permission is hereby granted to distribute and publish this advisory in its original, unaltered form

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-202202-0167",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "asterisk",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "sangoma",
            "version": "16.24.1"
          },
          {
            "model": "asterisk",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "sangoma",
            "version": "18.0.0"
          },
          {
            "model": "pjsip",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "teluu",
            "version": "2.11.1"
          },
          {
            "model": "asterisk",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "sangoma",
            "version": "18.10.1"
          },
          {
            "model": "asterisk",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "sangoma",
            "version": "19.2.1"
          },
          {
            "model": "certified asterisk",
            "scope": "lt",
            "trust": 1.0,
            "vendor": "asterisk",
            "version": "16.8.0"
          },
          {
            "model": "asterisk",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "sangoma",
            "version": "19.0.0"
          },
          {
            "model": "asterisk",
            "scope": "gte",
            "trust": 1.0,
            "vendor": "sangoma",
            "version": "16.0.0"
          },
          {
            "model": "linux",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "debian",
            "version": "9.0"
          },
          {
            "model": "linux",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "debian",
            "version": "10.0"
          },
          {
            "model": "certified asterisk",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "asterisk",
            "version": "16.8.0"
          },
          {
            "model": "pjsip",
            "scope": null,
            "trust": 0.8,
            "vendor": "teluu",
            "version": null
          },
          {
            "model": "gnu/linux",
            "scope": null,
            "trust": 0.8,
            "vendor": "debian",
            "version": null
          },
          {
            "model": "certified asterisk",
            "scope": null,
            "trust": 0.8,
            "vendor": "asterisk",
            "version": null
          },
          {
            "model": "asterisk",
            "scope": null,
            "trust": 0.8,
            "vendor": "sangoma",
            "version": null
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-006237"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-23608"
          }
        ]
      },
      "credits": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/credits#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Gentoo",
        "sources": [
          {
            "db": "PACKETSTORM",
            "id": "169618"
          }
        ],
        "trust": 0.1
      },
      "cve": "CVE-2022-23608",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [
              {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "NONE",
                "author": "nvd@nist.gov",
                "availabilityImpact": "PARTIAL",
                "baseScore": 7.5,
                "confidentialityImpact": "PARTIAL",
                "exploitabilityScore": 10.0,
                "id": "CVE-2022-23608",
                "impactScore": 6.4,
                "integrityImpact": "PARTIAL",
                "severity": "HIGH",
                "trust": 1.9,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
                "version": "2.0"
              }
            ],
            "cvssV3": [
              {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "author": "nvd@nist.gov",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "exploitabilityScore": 3.9,
                "id": "CVE-2022-23608",
                "impactScore": 5.9,
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "trust": 1.0,
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "author": "security-advisories@github.com",
                "availabilityImpact": "HIGH",
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "exploitabilityScore": 2.2,
                "id": "CVE-2022-23608",
                "impactScore": 5.9,
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "trust": 1.0,
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              {
                "attackComplexity": "Low",
                "attackVector": "Network",
                "author": "NVD",
                "availabilityImpact": "High",
                "baseScore": 9.8,
                "baseSeverity": "Critical",
                "confidentialityImpact": "High",
                "exploitabilityScore": null,
                "id": "CVE-2022-23608",
                "impactScore": null,
                "integrityImpact": "High",
                "privilegesRequired": "None",
                "scope": "Unchanged",
                "trust": 0.8,
                "userInteraction": "None",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            ],
            "severity": [
              {
                "author": "nvd@nist.gov",
                "id": "CVE-2022-23608",
                "trust": 1.0,
                "value": "CRITICAL"
              },
              {
                "author": "security-advisories@github.com",
                "id": "CVE-2022-23608",
                "trust": 1.0,
                "value": "HIGH"
              },
              {
                "author": "NVD",
                "id": "CVE-2022-23608",
                "trust": 0.8,
                "value": "Critical"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-202202-1757",
                "trust": 0.6,
                "value": "CRITICAL"
              },
              {
                "author": "VULMON",
                "id": "CVE-2022-23608",
                "trust": 0.1,
                "value": "HIGH"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2022-23608"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202202-1757"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-006237"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-23608"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-23608"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In versions up to and including 2.11.1 when in a dialog set (or forking) scenario, a hash key shared by multiple UAC dialogs can potentially be prematurely freed when one of the dialogs is destroyed . The issue may cause a dialog set to be registered in the hash table multiple times (with different hash keys) leading to undefined behavior such as dialog list collision which eventually leading to endless loop. A patch is available in commit db3235953baa56d2fb0e276ca510fefca751643f which will be included in the next release. There are no known workarounds for this issue. Teluu Ltd. of PJSIP Products from multiple other vendors contain vulnerabilities related to use of freed memory.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nGentoo Linux Security Advisory                           GLSA 202210-37\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n                                           https://security.gentoo.org/\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n Severity: Normal\n    Title: PJSIP: Multiple Vulnerabilities\n     Date: October 31, 2022\n     Bugs: #803614, #829894, #875863\n       ID: 202210-37\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\nSynopsis\n=======\nMultiple vulnerabilities have been found in PJSIP, the worst of which\ncould result in arbitrary code execution. \n\nAffected packages\n================\n    -------------------------------------------------------------------\n     Package              /     Vulnerable     /            Unaffected\n    -------------------------------------------------------------------\n  1  net-libs/pjproject         \u003c 2.12.1                    \u003e= 2.12.1\n\nDescription\n==========\nMultiple vulnerabilities have been discovered in PJSIP. Please review\nthe CVE identifiers referenced below for details. \n\nImpact\n=====\nPlease review the referenced CVE identifiers for details. \n\nResolution\n=========\nAll PJSIP users should upgrade to the latest version:\n\n  # emerge --sync\n  # emerge --ask --oneshot --verbose \"\u003e=net-libs/pjproject-2.12.1\"\n\nReferences\n=========\n[ 1 ] CVE-2021-32686\n      https://nvd.nist.gov/vuln/detail/CVE-2021-32686\n[ 2 ] CVE-2021-37706\n      https://nvd.nist.gov/vuln/detail/CVE-2021-37706\n[ 3 ] CVE-2021-41141\n      https://nvd.nist.gov/vuln/detail/CVE-2021-41141\n[ 4 ] CVE-2021-43804\n      https://nvd.nist.gov/vuln/detail/CVE-2021-43804\n[ 5 ] CVE-2021-43845\n      https://nvd.nist.gov/vuln/detail/CVE-2021-43845\n[ 6 ] CVE-2022-21722\n      https://nvd.nist.gov/vuln/detail/CVE-2022-21722\n[ 7 ] CVE-2022-21723\n      https://nvd.nist.gov/vuln/detail/CVE-2022-21723\n[ 8 ] CVE-2022-23608\n      https://nvd.nist.gov/vuln/detail/CVE-2022-23608\n[ 9 ] CVE-2022-24754\n      https://nvd.nist.gov/vuln/detail/CVE-2022-24754\n[ 10 ] CVE-2022-24763\n      https://nvd.nist.gov/vuln/detail/CVE-2022-24763\n[ 11 ] CVE-2022-24764\n      https://nvd.nist.gov/vuln/detail/CVE-2022-24764\n[ 12 ] CVE-2022-24786\n      https://nvd.nist.gov/vuln/detail/CVE-2022-24786\n[ 13 ] CVE-2022-24792\n      https://nvd.nist.gov/vuln/detail/CVE-2022-24792\n[ 14 ] CVE-2022-24793\n      https://nvd.nist.gov/vuln/detail/CVE-2022-24793\n[ 15 ] CVE-2022-31031\n      https://nvd.nist.gov/vuln/detail/CVE-2022-31031\n[ 16 ] CVE-2022-39244\n      https://nvd.nist.gov/vuln/detail/CVE-2022-39244\n[ 17 ] CVE-2022-39269\n      https://nvd.nist.gov/vuln/detail/CVE-2022-39269\n\nAvailability\n===========\nThis GLSA and any updates to it are available for viewing at\nthe Gentoo Security Website:\n\n https://security.gentoo.org/glsa/202210-37\n\nConcerns?\n========\nSecurity is a primary focus of Gentoo Linux and ensuring the\nconfidentiality and security of our users\u0027 machines is of utmost\nimportance to us. Any security concerns should be addressed to\nsecurity@gentoo.org or alternatively, you may file a bug at\nhttps://bugs.gentoo.org. \n\nLicense\n======\nCopyright 2022 Gentoo Foundation, Inc; referenced text\nbelongs to its owner(s). \n\nThe contents of this document are licensed under the\nCreative Commons - Attribution / Share Alike license. \n\nhttps://creativecommons.org/licenses/by-sa/2.5\n. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA512\n\n- -------------------------------------------------------------------------\nDebian Security Advisory DSA-5285-1                   security@debian.org\nhttps://www.debian.org/security/                          Markus Koschany\nNovember 17, 2022                     https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage        : asterisk\nCVE ID         : CVE-2021-37706 CVE-2021-43299 CVE-2021-43300 CVE-2021-43301\n                 CVE-2021-43302 CVE-2021-43303 CVE-2021-43804 CVE-2021-43845\n                 CVE-2021-46837 CVE-2022-21722 CVE-2022-21723 CVE-2022-23608\n                 CVE-2022-24763 CVE-2022-24764 CVE-2022-24786 CVE-2022-24792\n                 CVE-2022-24793 CVE-2022-26498 CVE-2022-26499 CVE-2022-26651\nDebian Bug     : 1014998 1018073 1014976\n\nMultiple security vulnerabilities have been found in Asterisk, an Open Source\nPrivate Branch Exchange. Buffer overflows and other programming errors could be\nexploited for information disclosure or the execution of arbitrary code. \n\nSpecial care should be taken when upgrading to this new upstream release. \nSome configuration files and options have changed in order to remedy\ncertain security vulnerabilities. Most notably the pjsip TLS listener only\naccepts TLSv1.3 connections in the default configuration now. This can be\nreverted by adding method=tlsv1_2 to the transport in pjsip.conf. See also\nhttps://issues.asterisk.org/jira/browse/ASTERISK-29017. \n\nFor the stable distribution (bullseye), these problems have been fixed in\nversion 1:16.28.0~dfsg-0+deb11u1. \n\nWe recommend that you upgrade your asterisk packages. \n\nFor the detailed security status of asterisk please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/asterisk\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n-----BEGIN PGP SIGNATURE-----\n\niQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmN2qoFfFIAAAAAALgAo\naXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD\nRjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7\nUeR0pQ/+Kr+FWFeFyrkFTyVv5BGBJug+EvZzzC2JZoI/TNsiAWQi/BZTQJ0pmdZr\nEHokqN7Z35EqZW6sj5aypdK7bOv4N+uv6P59xROk1KjEEG6XttGJ2BUvffWYWEXo\nk6+ou/yfAxU72Ufd1eOcMtjyGeN0CljmemIJ5Cywpnaw8YArP+VzRK2NEth0gCmJ\nTAfSvIPFaS7jB6fEg8KESOpmvtlqEJUh5sjP2t+OOEc3AoNBBuj4ZC44SQ1nif6k\njEbmLFnJYQF8dP+IasZ3SY80N+BeuGiylZQ6w1ZvuYuUAK3jhHQ3CJvTQ4sEqNQV\nZva6t0kHOEKVxKg412oEpQ0ihR+EBF/lnECu7iR2HTKk8xteNwio5qeeW/joTAJx\nOTYlHTtERTZIiaHdmV3nmGYgrTLeDHClilCnJrQuyXF+LVHjxBWDh7WS83zSrdIH\ngNP0eZ5UEjrpomf1yKqHVUsji63eSWACdFVXJLACMwpuevq8qgV6zASD+VuUd36r\nfoEOKVj+FIHehWSef9pP48Na8bOn0EDVqtZEPOjE6o8Y8PjgSf7BSNogppZncldw\nVREox9NsxGM9hSVh3lVBWL8lT76HQVzXjfXXXoIEFDiGokNRV/dNTuhhb/mh0zxr\nVTKBboC6ijQVCdVQ7UdGFnoVXOWW2gy8sdam40ELBUCGDD5XI7A\\xeajm\n-----END PGP SIGNATURE-----\n. ==========================================================================\nUbuntu Security Notice USN-6422-1\nOctober 09, 2023\n\nring vulnerabilities\n==========================================================================\n\nA security issue affects these releases of Ubuntu and its derivatives:\n\n- Ubuntu 23.04\n- Ubuntu 20.04 LTS\n- Ubuntu 18.04 LTS (Available with Ubuntu Pro)\n\nSummary:\n\nSeveral security issues were fixed in Ring. \n\nSoftware Description:\n- ring: Secure and distributed voice, video, and chat platform\n\nDetails:\n\nIt was discovered that Ring incorrectly handled certain inputs. If a user or\nan automated system were tricked into opening a specially crafted input file,\na remote attacker could possibly use this issue to execute arbitrary code. \n(CVE-2021-37706)\n\nIt was discovered that Ring incorrectly handled certain inputs. If a user or\nan automated system were tricked into opening a specially crafted input file,\na remote attacker could possibly use this issue to cause a denial of service. \nThis issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. \n(CVE-2021-43299, CVE-2021-43300, CVE-2021-43301, CVE-2021-43302,\nCVE-2021-43303, CVE-2021-43804, CVE-2021-43845, CVE-2022-21723,\nCVE-2022-23537, CVE-2022-23547, CVE-2022-23608, CVE-2022-24754,\nCVE-2022-24763, CVE-2022-24764, CVE-2022-24793, CVE-2022-31031,\nCVE-2022-39244)\n\nIt was discovered that Ring incorrectly handled certain inputs. If a user or\nan automated system were tricked into opening a specially crafted input file,\na remote attacker could possibly use this issue to cause a denial of service. \nThis issue only affected Ubuntu 20.04 LTS. (CVE-2022-21722)\n\nIt was discovered that Ring incorrectly handled certain inputs. If a user or\nan automated system were tricked into opening a specially crafted input file,\na remote attacker could possibly use this issue to cause a denial of service. \n(CVE-2023-27585)\n\nUpdate instructions:\n\nThe problem can be corrected by updating your system to the following\npackage versions:\n\nUbuntu 23.04:\n   jami                            20230206.0~ds1-5ubuntu0.1\n   jami-daemon                     20230206.0~ds1-5ubuntu0.1\n\nUbuntu 20.04 LTS:\n   jami                            20190215.1.f152c98~ds1-1+deb10u2build0.20.04.1\n   jami-daemon                     20190215.1.f152c98~ds1-1+deb10u2build0.20.04.1\n   ring                            20190215.1.f152c98~ds1-1+deb10u2build0.20.04.1\n   ring-daemon                     20190215.1.f152c98~ds1-1+deb10u2build0.20.04.1\n\nUbuntu 18.04 LTS (Available with Ubuntu Pro):\n   ring                            20180228.1.503da2b~ds1-1ubuntu0.1~esm1\n   ring-daemon                     20180228.1.503da2b~ds1-1ubuntu0.1~esm1\n\nIn general, a standard system update will make all the necessary changes. \n\nReferences:\n   https://ubuntu.com/security/notices/USN-6422-1\n   CVE-2021-37706, CVE-2021-43299, CVE-2021-43300, CVE-2021-43301,\n   CVE-2021-43302, CVE-2021-43303, CVE-2021-43804, CVE-2021-43845,\n   CVE-2022-21722, CVE-2022-21723, CVE-2022-23537, CVE-2022-23547,\n   CVE-2022-23608, CVE-2022-24754, CVE-2022-24763, CVE-2022-24764,\n   CVE-2022-24793, CVE-2022-31031, CVE-2022-39244, CVE-2023-27585\n\nPackage Information:\n   https://launchpad.net/ubuntu/+source/ring/20230206.0~ds1-5ubuntu0.1\n \nhttps://launchpad.net/ubuntu/+source/ring/20190215.1.f152c98~ds1-1+deb10u2build0.20.04.1\n\n.                Asterisk Project Security Advisory - AST-2022-005\n\n         Product        Asterisk                                              \n         Summary        pjproject: undefined behavior after freeing a dialog  \n                        set                                                   \n    Nature of Advisory  Denial of service                                     \n      Susceptibility    Remote unauthenticated sessions                       \n         Severity       Major                                                 \n      Exploits Known    Yes                                                   \n       Reported On      March 3, 2022                                         \n       Reported By      Sauw Ming                                             \n        Posted On       March 4, 2022                                         \n     Last Updated On    March 3, 2022                                         \n     Advisory Contact   kharwell AT sangoma DOT com                           \n         CVE Name       CVE-2022-23608                                        \n\n      Description     When acting as a UAC, and when placing an outgoing      \n                      call to a target that then forks Asterisk may           \n                      experience undefined behavior (crashes, hangs, etc\u2026)    \n                      after a dialog set is prematurely freed.                \n    Modules Affected  bundled pjproject                                       \n\n    Resolution  If you use \u201cwith-pjproject-bundled\u201d then upgrade to, or       \n                install one of, the versions of Asterisk listed below.        \n                Otherwise install the appropriate version of pjproject that   \n                contains the patch.                                           \n\n                               Affected Versions\n                Product              Release Series  \n         Asterisk Open Source             16.x       All versions             \n         Asterisk Open Source             18.x       All versions             \n         Asterisk Open Source             19.x       All versions             \n          Certified Asterisk              16.x       All versions             \n\n                                  Corrected In\n                 Product                              Release                 \n           Asterisk Open Source                16.24.1,18.10.1,19.2.1         \n            Certified Asterisk                      16.8-cert13               \n\n                                    Patches                         \n                              Patch URL                             Revision  \n   https://downloads.digium.com/pub/security/AST-2022-005-16.diff   Asterisk  \n                                                                    16        \n   https://downloads.digium.com/pub/security/AST-2022-005-18.diff   Asterisk  \n                                                                    18        \n   https://downloads.digium.com/pub/security/AST-2022-005-19.diff   Asterisk  \n                                                                    19        \n   https://downloads.digium.com/pub/security/AST-2022-005-16.8.diff Certified \n                                                                    Asterisk  \n                                                                    16.8      \n\nLinks https://issues.asterisk.org/jira/browse/ASTERISK-29945                     \n                                                                                 \n      https://downloads.asterisk.org/pub/security/AST-2022-005.html              \n                                                                                 \n      https://github.com/pjsip/pjproject/security/advisories/GHSA-ffff-m5fm-qm62 \n\n    Asterisk Project Security Advisories are posted at                        \n    http://www.asterisk.org/security                                          \n                                                                              \n    This document may be superseded by later versions; if so, the latest      \n    version will be posted at                                                 \n    https://downloads.digium.com/pub/security/AST-2022-005.pdf and            \n    https://downloads.digium.com/pub/security/AST-2022-005.html               \n\n                                Revision History\n          Date                  Editor                 Revisions Made         \n    March 3, 2022      Kevin Harwell             Initial revision             \n\n               Asterisk Project Security Advisory - AST-2022-005\n               Copyright \u00a9 2022 Digium, Inc. All Rights Reserved. \n  Permission is hereby granted to distribute and publish this advisory in its\n                           original, unaltered form",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2022-23608"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-006237"
          },
          {
            "db": "VULMON",
            "id": "CVE-2022-23608"
          },
          {
            "db": "PACKETSTORM",
            "id": "169618"
          },
          {
            "db": "PACKETSTORM",
            "id": "169938"
          },
          {
            "db": "PACKETSTORM",
            "id": "175025"
          },
          {
            "db": "PACKETSTORM",
            "id": "166226"
          }
        ],
        "trust": 2.07
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2022-23608",
            "trust": 3.7
          },
          {
            "db": "PACKETSTORM",
            "id": "166226",
            "trust": 2.6
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-006237",
            "trust": 0.8
          },
          {
            "db": "PACKETSTORM",
            "id": "169618",
            "trust": 0.7
          },
          {
            "db": "PACKETSTORM",
            "id": "169938",
            "trust": 0.7
          },
          {
            "db": "AUSCERT",
            "id": "ESB-2022.0942",
            "trust": 0.6
          },
          {
            "db": "AUSCERT",
            "id": "ESB-2022.1414",
            "trust": 0.6
          },
          {
            "db": "CS-HELP",
            "id": "SB2022022414",
            "trust": 0.6
          },
          {
            "db": "CS-HELP",
            "id": "SB2022030601",
            "trust": 0.6
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202202-1757",
            "trust": 0.6
          },
          {
            "db": "VULMON",
            "id": "CVE-2022-23608",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "175025",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2022-23608"
          },
          {
            "db": "PACKETSTORM",
            "id": "169618"
          },
          {
            "db": "PACKETSTORM",
            "id": "169938"
          },
          {
            "db": "PACKETSTORM",
            "id": "175025"
          },
          {
            "db": "PACKETSTORM",
            "id": "166226"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202202-1757"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-006237"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-23608"
          }
        ]
      },
      "id": "VAR-202202-0167",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VARIoT devices database",
            "id": null
          }
        ],
        "trust": 0.348297215
      },
      "last_update_date": "2025-11-18T12:34:49.883000Z",
      "patch": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/patch#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "title": "PJSIP Remediation of resource management error vulnerabilities",
            "trust": 0.6,
            "url": "http://123.124.177.30/web/xxk/bdxqById.tag?id=184333"
          },
          {
            "title": "Debian CVElist Bug Report Logs: ring: CVE-2021-32686 CVE-2021-37706 CVE-2022-21723 CVE-2022-23608 CVE-2021-43299 CVE-2021-43300 CVE-2021-43301 CVE-2021-43302 CVE-2021-43303 CVE-2021-43804 CVE-2021-43845 CVE-2022-21722 CVE-2022-24754 CVE-2022-24763 CVE-2022-24764 CVE-2022-24793",
            "trust": 0.1,
            "url": "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs\u0026qid=4e89fc7b47aa12e94340b2e2db73b906"
          },
          {
            "title": "Debian Security Advisories: DSA-5285-1 asterisk -- security update",
            "trust": 0.1,
            "url": "https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories\u0026qid=edc2cf0db8c0593c65c4c82227026727"
          },
          {
            "title": "CVE-2022-XXXX",
            "trust": 0.1,
            "url": "https://github.com/AlphabugX/CVE-2022-23305 "
          },
          {
            "title": "CVE-2022-XXXX",
            "trust": 0.1,
            "url": "https://github.com/AlphabugX/CVE-2022-RCE "
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2022-23608"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202202-1757"
          }
        ]
      },
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-416",
            "trust": 1.0
          },
          {
            "problemtype": "Use of freed memory (CWE-416) [ others ]",
            "trust": 0.8
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-006237"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-23608"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 3.1,
            "url": "http://packetstormsecurity.com/files/166226/asterisk-project-security-advisory-ast-2022-005.html"
          },
          {
            "trust": 2.6,
            "url": "https://github.com/pjsip/pjproject/security/advisories/ghsa-ffff-m5fm-qm62"
          },
          {
            "trust": 2.6,
            "url": "https://security.gentoo.org/glsa/202210-37"
          },
          {
            "trust": 2.6,
            "url": "https://www.debian.org/security/2022/dsa-5285"
          },
          {
            "trust": 2.5,
            "url": "https://github.com/pjsip/pjproject/commit/db3235953baa56d2fb0e276ca510fefca751643f"
          },
          {
            "trust": 2.5,
            "url": "http://seclists.org/fulldisclosure/2022/mar/1"
          },
          {
            "trust": 2.5,
            "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html"
          },
          {
            "trust": 2.5,
            "url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00040.html"
          },
          {
            "trust": 2.5,
            "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html"
          },
          {
            "trust": 1.2,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-23608"
          },
          {
            "trust": 1.1,
            "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html"
          },
          {
            "trust": 1.0,
            "url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00030.html"
          },
          {
            "trust": 0.6,
            "url": "https://packetstormsecurity.com/files/169618/gentoo-linux-security-advisory-202210-37.html"
          },
          {
            "trust": 0.6,
            "url": "https://vigilance.fr/vulnerability/asterisk-reuse-after-free-via-pjproject-dialog-set-37713"
          },
          {
            "trust": 0.6,
            "url": "https://cxsecurity.com/cveshow/cve-2022-23608/"
          },
          {
            "trust": 0.6,
            "url": "https://packetstormsecurity.com/files/169938/debian-security-advisory-5285-1.html"
          },
          {
            "trust": 0.6,
            "url": "https://www.cybersecurity-help.cz/vdb/sb2022022414"
          },
          {
            "trust": 0.6,
            "url": "https://www.cybersecurity-help.cz/vdb/sb2022030601"
          },
          {
            "trust": 0.6,
            "url": "https://www.auscert.org.au/bulletins/esb-2022.0942"
          },
          {
            "trust": 0.6,
            "url": "https://www.auscert.org.au/bulletins/esb-2022.1414"
          },
          {
            "trust": 0.3,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-43804"
          },
          {
            "trust": 0.3,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-24764"
          },
          {
            "trust": 0.3,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-21722"
          },
          {
            "trust": 0.3,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-37706"
          },
          {
            "trust": 0.3,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-24763"
          },
          {
            "trust": 0.2,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-24793"
          },
          {
            "trust": 0.2,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-39244"
          },
          {
            "trust": 0.2,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-43845"
          },
          {
            "trust": 0.2,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-21723"
          },
          {
            "trust": 0.2,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-43303"
          },
          {
            "trust": 0.2,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-43302"
          },
          {
            "trust": 0.1,
            "url": "https://cwe.mitre.org/data/definitions/416.html"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov"
          },
          {
            "trust": 0.1,
            "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014998"
          },
          {
            "trust": 0.1,
            "url": "https://github.com/alphabugx/cve-2022-23305"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-41141"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-24754"
          },
          {
            "trust": 0.1,
            "url": "https://creativecommons.org/licenses/by-sa/2.5"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-39269"
          },
          {
            "trust": 0.1,
            "url": "https://bugs.gentoo.org."
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-24786"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-24792"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-31031"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-32686"
          },
          {
            "trust": 0.1,
            "url": "https://security.gentoo.org/"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-43299"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-46837"
          },
          {
            "trust": 0.1,
            "url": "https://www.debian.org/security/faq"
          },
          {
            "trust": 0.1,
            "url": "https://www.debian.org/security/"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-43301"
          },
          {
            "trust": 0.1,
            "url": "https://issues.asterisk.org/jira/browse/asterisk-29017."
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2021-43300"
          },
          {
            "trust": 0.1,
            "url": "https://security-tracker.debian.org/tracker/asterisk"
          },
          {
            "trust": 0.1,
            "url": "https://ubuntu.com/security/notices/usn-6422-1"
          },
          {
            "trust": 0.1,
            "url": "https://launchpad.net/ubuntu/+source/ring/20190215.1.f152c98~ds1-1+deb10u2build0.20.04.1"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2023-27585"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-23537"
          },
          {
            "trust": 0.1,
            "url": "https://launchpad.net/ubuntu/+source/ring/20230206.0~ds1-5ubuntu0.1"
          },
          {
            "trust": 0.1,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2022-23547"
          },
          {
            "trust": 0.1,
            "url": "https://downloads.digium.com/pub/security/ast-2022-005-18.diff"
          },
          {
            "trust": 0.1,
            "url": "https://downloads.asterisk.org/pub/security/ast-2022-005.html"
          },
          {
            "trust": 0.1,
            "url": "http://www.asterisk.org/security"
          },
          {
            "trust": 0.1,
            "url": "https://downloads.digium.com/pub/security/ast-2022-005-19.diff"
          },
          {
            "trust": 0.1,
            "url": "https://downloads.digium.com/pub/security/ast-2022-005.pdf"
          },
          {
            "trust": 0.1,
            "url": "https://issues.asterisk.org/jira/browse/asterisk-29945"
          },
          {
            "trust": 0.1,
            "url": "https://downloads.digium.com/pub/security/ast-2022-005.html"
          },
          {
            "trust": 0.1,
            "url": "https://downloads.digium.com/pub/security/ast-2022-005-16.diff"
          },
          {
            "trust": 0.1,
            "url": "https://downloads.digium.com/pub/security/ast-2022-005-16.8.diff"
          }
        ],
        "sources": [
          {
            "db": "VULMON",
            "id": "CVE-2022-23608"
          },
          {
            "db": "PACKETSTORM",
            "id": "169618"
          },
          {
            "db": "PACKETSTORM",
            "id": "169938"
          },
          {
            "db": "PACKETSTORM",
            "id": "175025"
          },
          {
            "db": "PACKETSTORM",
            "id": "166226"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202202-1757"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-006237"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-23608"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "VULMON",
            "id": "CVE-2022-23608"
          },
          {
            "db": "PACKETSTORM",
            "id": "169618"
          },
          {
            "db": "PACKETSTORM",
            "id": "169938"
          },
          {
            "db": "PACKETSTORM",
            "id": "175025"
          },
          {
            "db": "PACKETSTORM",
            "id": "166226"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202202-1757"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-006237"
          },
          {
            "db": "NVD",
            "id": "CVE-2022-23608"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2022-02-22T00:00:00",
            "db": "VULMON",
            "id": "CVE-2022-23608"
          },
          {
            "date": "2022-11-01T13:21:55",
            "db": "PACKETSTORM",
            "id": "169618"
          },
          {
            "date": "2022-11-18T14:28:10",
            "db": "PACKETSTORM",
            "id": "169938"
          },
          {
            "date": "2023-10-10T14:47:37",
            "db": "PACKETSTORM",
            "id": "175025"
          },
          {
            "date": "2022-03-07T16:28:25",
            "db": "PACKETSTORM",
            "id": "166226"
          },
          {
            "date": "2022-02-22T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202202-1757"
          },
          {
            "date": "2023-07-03T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2022-006237"
          },
          {
            "date": "2022-02-22T20:15:07.693000",
            "db": "NVD",
            "id": "CVE-2022-23608"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2023-08-30T00:00:00",
            "db": "VULMON",
            "id": "CVE-2022-23608"
          },
          {
            "date": "2022-11-21T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-202202-1757"
          },
          {
            "date": "2023-07-03T08:38:00",
            "db": "JVNDB",
            "id": "JVNDB-2022-006237"
          },
          {
            "date": "2025-11-04T16:15:47.087000",
            "db": "NVD",
            "id": "CVE-2022-23608"
          }
        ]
      },
      "threat_type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "remote",
        "sources": [
          {
            "db": "PACKETSTORM",
            "id": "175025"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-202202-1757"
          }
        ],
        "trust": 0.7
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Teluu\u00a0Ltd.\u00a0 of \u00a0PJSIP\u00a0 Vulnerability related to use of freed memory in products from other vendors",
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2022-006237"
          }
        ],
        "trust": 0.8
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "resource management error",
        "sources": [
          {
            "db": "CNNVD",
            "id": "CNNVD-202202-1757"
          }
        ],
        "trust": 0.6
      }
    }

    CVE-2026-23741 (GCVE-0-2026-23741)

    Vulnerability from nvd – Published: 2026-02-06 16:47 – Updated: 2026-02-06 17:26
    VLAI
    Title
    ast_coredumper running as root sources ast_debug_tools.conf from /etc/asterisk; potentially leading to privilege escalation
    Summary
    Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, the asterisk/contrib/scripts/ast_coredumper runs as root, as noted by the NOTES tag on line 689 of the ast_coredumper file. The script will source the contents of /etc/asterisk/ast_debug_tools.conf, which resides in a folder that is writeable by the asterisk user:group. Due to the /etc/asterisk/ast_debug_tools.conf file following bash semantics and it being loaded; an attacker with write permissions may add or modify the file such that when the root ast_coredumper is run; it would source and thereby execute arbitrary bash code found in the /etc/asterisk/ast_debug_tools.conf. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-427 - Uncontrolled Search Path Element
    Assigner
    References
    Impacted products
    Vendor Product Version
    asterisk asterisk Affected: < 23.2.2
    Affected: < 22.8.2
    Affected: < 21.12.1
    Affected: < 20.18.2
    Affected: < 20.7-cert9
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-23741",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-06T17:22:49.844752Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-06T17:26:22.216Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "asterisk",
              "vendor": "asterisk",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 23.2.2"
                },
                {
                  "status": "affected",
                  "version": "\u003c 22.8.2"
                },
                {
                  "status": "affected",
                  "version": "\u003c 21.12.1"
                },
                {
                  "status": "affected",
                  "version": "\u003c 20.18.2"
                },
                {
                  "status": "affected",
                  "version": "\u003c 20.7-cert9"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, the asterisk/contrib/scripts/ast_coredumper runs as root, as noted by the NOTES tag on line 689 of the ast_coredumper file. The script will source the contents of /etc/asterisk/ast_debug_tools.conf, which resides in a folder that is writeable by the asterisk user:group. Due to the /etc/asterisk/ast_debug_tools.conf file following bash semantics and it being loaded; an attacker with write permissions may add or modify the file such that when the root ast_coredumper is run; it would source and thereby execute arbitrary bash code found in the /etc/asterisk/ast_debug_tools.conf. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 0,
                "baseSeverity": "NONE",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-427",
                  "description": "CWE-427: Uncontrolled Search Path Element",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-06T16:47:19.611Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/asterisk/asterisk/security/advisories/GHSA-rvch-3jmx-3jf3",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-rvch-3jmx-3jf3"
            }
          ],
          "source": {
            "advisory": "GHSA-rvch-3jmx-3jf3",
            "discovery": "UNKNOWN"
          },
          "title": "ast_coredumper running as root sources ast_debug_tools.conf from /etc/asterisk; potentially leading to privilege escalation"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-23741",
        "datePublished": "2026-02-06T16:47:19.611Z",
        "dateReserved": "2026-01-15T15:45:01.958Z",
        "dateUpdated": "2026-02-06T17:26:22.216Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-23740 (GCVE-0-2026-23740)

    Vulnerability from nvd – Published: 2026-02-06 16:43 – Updated: 2026-02-06 19:11
    VLAI
    Title
    Asterisk vulnerable to potential privilege escalation
    Summary
    Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, when ast_coredumper writes its gdb init and output files to a directory that is world-writable (for example /tmp), an attacker with write permission(which is all users on a linux system) to that directory can cause root to execute arbitrary commands or overwrite arbitrary files by controlling the gdb init file and output paths. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-427 - Uncontrolled Search Path Element
    Assigner
    References
    Impacted products
    Vendor Product Version
    asterisk asterisk Affected: < 23.2.2
    Affected: < 22.8.2
    Affected: < 21.12.1
    Affected: < 20.18.2
    Affected: < 20.7-cert9
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "LOCAL",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.8,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-23740",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-06T19:11:52.277402Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-06T19:11:55.655Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "asterisk",
              "vendor": "asterisk",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 23.2.2"
                },
                {
                  "status": "affected",
                  "version": "\u003c 22.8.2"
                },
                {
                  "status": "affected",
                  "version": "\u003c 21.12.1"
                },
                {
                  "status": "affected",
                  "version": "\u003c 20.18.2"
                },
                {
                  "status": "affected",
                  "version": "\u003c 20.7-cert9"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, when ast_coredumper writes its gdb init and output files to a directory that is world-writable (for example /tmp), an attacker with write permission(which is all users on a linux system) to that directory can cause root to execute arbitrary commands or overwrite arbitrary files by controlling the gdb init file and output paths. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 0,
                "baseSeverity": "NONE",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-427",
                  "description": "CWE-427: Uncontrolled Search Path Element",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-06T16:43:52.278Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/asterisk/asterisk/security/advisories/GHSA-xpc6-x892-v83c",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-xpc6-x892-v83c"
            }
          ],
          "source": {
            "advisory": "GHSA-xpc6-x892-v83c",
            "discovery": "UNKNOWN"
          },
          "title": "Asterisk vulnerable to potential privilege escalation"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-23740",
        "datePublished": "2026-02-06T16:43:41.330Z",
        "dateReserved": "2026-01-15T15:45:01.958Z",
        "dateUpdated": "2026-02-06T19:11:55.655Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-23739 (GCVE-0-2026-23739)

    Vulnerability from nvd – Published: 2026-02-06 16:42 – Updated: 2026-02-06 17:37
    VLAI
    Title
    Asterisk xml.c uses unsafe XML_PARSE_NOENT leading to potential XXE Injection
    Summary
    Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, the ast_xml_open() function in xml.c parses XML documents using libxml with unsafe parsing options that enable entity expansion and XInclude processing. Specifically, it invokes xmlReadFile() with the XML_PARSE_NOENT flag and later processes XIncludes via xmlXIncludeProcess().If any untrusted or user-supplied XML file is passed to this function, it can allow an attacker to trigger XML External Entity (XXE) or XInclude-based local file disclosure, potentially exposing sensitive files from the host system. This can also be triggered in other cases in which the user is able to supply input in xml format that triggers the asterisk process to parse it. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-611 - Improper Restriction of XML External Entity Reference
    Assigner
    References
    Impacted products
    Vendor Product Version
    asterisk asterisk Affected: < 23.2.2
    Affected: < 22.8.2
    Affected: < 21.12.1
    Affected: < 20.18.2
    Affected: < 20.7-cert9
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-23739",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-06T17:36:34.440710Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-06T17:37:22.223Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "asterisk",
              "vendor": "asterisk",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 23.2.2"
                },
                {
                  "status": "affected",
                  "version": "\u003c 22.8.2"
                },
                {
                  "status": "affected",
                  "version": "\u003c 21.12.1"
                },
                {
                  "status": "affected",
                  "version": "\u003c 20.18.2"
                },
                {
                  "status": "affected",
                  "version": "\u003c 20.7-cert9"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, the ast_xml_open() function in xml.c parses XML documents using libxml with unsafe parsing options that enable entity expansion and XInclude processing. Specifically, it invokes xmlReadFile() with the XML_PARSE_NOENT flag and later processes XIncludes via xmlXIncludeProcess().If any untrusted or user-supplied XML file is passed to this function, it can allow an attacker to trigger XML External Entity (XXE) or XInclude-based local file disclosure, potentially exposing sensitive files from the host system. This can also be triggered in other cases in which the user is able to supply input in xml format that triggers the asterisk process to parse it. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 2,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-611",
                  "description": "CWE-611: Improper Restriction of XML External Entity Reference",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-06T16:42:25.816Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/asterisk/asterisk/security/advisories/GHSA-85x7-54wr-vh42",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-85x7-54wr-vh42"
            }
          ],
          "source": {
            "advisory": "GHSA-85x7-54wr-vh42",
            "discovery": "UNKNOWN"
          },
          "title": "Asterisk xml.c uses unsafe XML_PARSE_NOENT leading to potential XXE Injection"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-23739",
        "datePublished": "2026-02-06T16:42:25.816Z",
        "dateReserved": "2026-01-15T15:45:01.957Z",
        "dateUpdated": "2026-02-06T17:37:22.223Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-23738 (GCVE-0-2026-23738)

    Vulnerability from nvd – Published: 2026-02-06 16:41 – Updated: 2026-02-06 17:44
    VLAI
    Title
    The Asterisk embedded web server 's /httpstatus page echos user supplied values(cookie and query string) without sanitization
    Summary
    Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, user supplied/control values for Cookies and any GET variable query Parameter are directly interpolated into the HTML of the page using ast_str_append. The endpoint at GET /httpstatus is the potential vulnerable endpoint relating to asterisk/main /http.c. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    asterisk asterisk Affected: < 23.2.2
    Affected: < 22.8.2
    Affected: < 21.12.1
    Affected: < 20.18.2
    Affected: < 20.7-cert9
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-23738",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-06T17:43:40.418371Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-06T17:44:20.480Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "asterisk",
              "vendor": "asterisk",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 23.2.2"
                },
                {
                  "status": "affected",
                  "version": "\u003c 22.8.2"
                },
                {
                  "status": "affected",
                  "version": "\u003c 21.12.1"
                },
                {
                  "status": "affected",
                  "version": "\u003c 20.18.2"
                },
                {
                  "status": "affected",
                  "version": "\u003c 20.7-cert9"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, user supplied/control values for Cookies and any GET variable query Parameter are directly interpolated into the HTML of the page using ast_str_append. The endpoint at GET /httpstatus is the potential vulnerable endpoint relating to asterisk/main /http.c. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.5,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-06T16:41:43.769Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/asterisk/asterisk/security/advisories/GHSA-v6hp-wh3r-cwxh",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-v6hp-wh3r-cwxh"
            }
          ],
          "source": {
            "advisory": "GHSA-v6hp-wh3r-cwxh",
            "discovery": "UNKNOWN"
          },
          "title": "The Asterisk embedded web server \u0027s /httpstatus page echos user supplied values(cookie and query string) without sanitization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-23738",
        "datePublished": "2026-02-06T16:41:43.769Z",
        "dateReserved": "2026-01-15T15:45:01.957Z",
        "dateUpdated": "2026-02-06T17:44:20.480Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-1131 (GCVE-0-2025-1131)

    Vulnerability from nvd – Published: 2025-09-23 04:31 – Updated: 2026-02-26 17:48
    VLAI
    Title
    Asterisk Unsafe Shell Sourcing in safe_asterisk Leads to Local Privilege Escalation
    Summary
    A local privilege escalation vulnerability exists in the safe_asterisk script included with the Asterisk toolkit package. When Asterisk is started via this script (common in SysV init or FreePBX environments), it sources all .sh files located in /etc/asterisk/startup.d/ as root, without validating ownership or permissions. Non-root users with legitimate write access to /etc/asterisk can exploit this behaviour by placing malicious scripts in the startup.d directory, which will then execute with root privileges upon service restart.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-427 - Uncontrolled Search Path Element
    Assigner
    Impacted products
    Vendor Product Version
    Asterisk Asterisk Affected: Asterisk <=18.26.2 (custom)
    Affected: Asterisk <= 20.15.0 (custom)
    Affected: Asterisk <= 21.10.0 (custom)
    Affected: Asterisk <= 22.5.0 (custom)
    Create a notification for this product.
    Date Public
    2025-08-01 05:23
    Credits
    Abdul Mhanni
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-1131",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-24T03:55:15.207908Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-26T17:48:19.381Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-11-03T17:31:42.189Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00006.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "safe_asterisk /etc/asterisk/startup.d"
              ],
              "platforms": [
                "Linux",
                "MacOS"
              ],
              "product": "Asterisk",
              "programFiles": [
                "safe_asterisk"
              ],
              "repo": "https://github.com/asterisk/asterisk",
              "vendor": "Asterisk",
              "versions": [
                {
                  "status": "affected",
                  "version": "Asterisk \u003c=18.26.2",
                  "versionType": "custom"
                },
                {
                  "status": "affected",
                  "version": "Asterisk \u003c= 20.15.0",
                  "versionType": "custom"
                },
                {
                  "status": "affected",
                  "version": "Asterisk \u003c= 21.10.0",
                  "versionType": "custom"
                },
                {
                  "status": "affected",
                  "version": "Asterisk \u003c= 22.5.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Abdul Mhanni"
            }
          ],
          "datePublic": "2025-08-01T05:23:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eA local privilege escalation vulnerability exists in the \u003ccode\u003esafe_asterisk\u003c/code\u003e script included with the Asterisk toolkit package. When Asterisk is started via this script (common in SysV init or FreePBX environments), it sources all \u003ccode\u003e.sh\u003c/code\u003e files located in \u003ccode\u003e/etc/asterisk/startup.d/\u003c/code\u003e \u003cstrong\u003eas root\u003c/strong\u003e, without validating ownership or permissions.\u003c/p\u003e\n\u003cp\u003eNon-root users with legitimate write access to \u003ccode\u003e/etc/asterisk\u003c/code\u003e can exploit this behaviour by placing malicious scripts in the \u003ccode\u003estartup.d\u003c/code\u003e directory, which will then execute with root privileges upon service restart.\u003c/p\u003e"
                }
              ],
              "value": "A local privilege escalation vulnerability exists in the safe_asterisk script included with the Asterisk toolkit package. When Asterisk is started via this script (common in SysV init or FreePBX environments), it sources all .sh files located in /etc/asterisk/startup.d/ as root, without validating ownership or permissions.\n\n\nNon-root users with legitimate write access to /etc/asterisk can exploit this behaviour by placing malicious scripts in the startup.d directory, which will then execute with root privileges upon service restart."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-233",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-233 Privilege Escalation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "LOCAL",
                "baseScore": 7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "providerUrgency": "AMBER",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "PASSIVE",
                "valueDensity": "CONCENTRATED",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:N/V:C/RE:H/U:Amber",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "HIGH"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-427",
                  "description": "CWE-427 Uncontrolled Search Path Element",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-23T04:31:02.784Z",
            "orgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
            "shortName": "Gridware"
          },
          "references": [
            {
              "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-v9q8-9j8m-5xwp"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Asterisk Unsafe Shell Sourcing in safe_asterisk Leads to Local Privilege Escalation",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
        "assignerShortName": "Gridware",
        "cveId": "CVE-2025-1131",
        "datePublished": "2025-09-23T04:31:02.784Z",
        "dateReserved": "2025-02-08T04:11:43.201Z",
        "dateUpdated": "2026-02-26T17:48:19.381Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-57767 (GCVE-0-2025-57767)

    Vulnerability from nvd – Published: 2025-08-28 15:33 – Updated: 2025-08-28 17:12
    VLAI
    Title
    Asterisk can crash from a specifically malformed Authorization header in an incoming SIP request
    Summary
    Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.15.2, 21.10.2, and 22.5.2, if a SIP request is received with an Authorization header that contains a realm that wasn't in a previous 401 response's WWW-Authenticate header, or an Authorization header with an incorrect realm was received without a previous 401 response being sent, the get_authorization_header() function in res_pjsip_authenticator_digest will return a NULL. This wasn't being checked before attempting to get the digest algorithm from the header which causes a SEGV. This issue has been patched in versions 20.15.2, 21.10.2, and 22.5.2. There are no workarounds.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-253 - Incorrect Check of Function Return Value
    Assigner
    Impacted products
    Vendor Product Version
    asterisk asterisk Affected: < 22.5.2
    Affected: < 21.10.2
    Affected: < 20.15.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-57767",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-08-28T17:12:27.086945Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-08-28T17:12:35.539Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "asterisk",
              "vendor": "asterisk",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 22.5.2"
                },
                {
                  "status": "affected",
                  "version": "\u003c 21.10.2"
                },
                {
                  "status": "affected",
                  "version": "\u003c 20.15.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.15.2, 21.10.2, and 22.5.2, if a SIP request is received with an Authorization header that contains a realm that wasn\u0027t in a previous 401 response\u0027s WWW-Authenticate header, or an Authorization header with an incorrect realm was received without a previous 401 response being sent, the get_authorization_header() function in res_pjsip_authenticator_digest will return a NULL. This wasn\u0027t being checked before attempting to get the digest algorithm from the header which causes a SEGV. This issue has been patched in versions 20.15.2, 21.10.2, and 22.5.2. There are no workarounds."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-253",
                  "description": "CWE-253: Incorrect Check of Function Return Value",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-08-28T15:33:00.087Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/asterisk/asterisk/security/advisories/GHSA-64qc-9x89-rx5j",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-64qc-9x89-rx5j"
            },
            {
              "name": "https://github.com/asterisk/asterisk/pull/1407",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/asterisk/asterisk/pull/1407"
            },
            {
              "name": "https://github.com/asterisk/asterisk/commit/02993717b08f899d4aca9888062f35dfb198584f",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/asterisk/asterisk/commit/02993717b08f899d4aca9888062f35dfb198584f"
            }
          ],
          "source": {
            "advisory": "GHSA-64qc-9x89-rx5j",
            "discovery": "UNKNOWN"
          },
          "title": "Asterisk can crash from a specifically malformed Authorization header in an incoming SIP request"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-57767",
        "datePublished": "2025-08-28T15:33:00.087Z",
        "dateReserved": "2025-08-19T15:16:22.917Z",
        "dateUpdated": "2025-08-28T17:12:35.539Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-54995 (GCVE-0-2025-54995)

    Vulnerability from nvd – Published: 2025-08-28 15:08 – Updated: 2025-11-03 17:45
    VLAI
    Title
    Asterisk remotely exploitable leak of RTP UDP ports and internal resources
    Summary
    Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 18.26.4 and 18.9-cert17, RTP UDP ports and internal resources can leak due to a lack of session termination. This could result in leaks and resource exhaustion. This issue has been patched in versions 18.26.4 and 18.9-cert17.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1286 - Improper Validation of Syntactic Correctness of Input
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    Impacted products
    Vendor Product Version
    asterisk asterisk Affected: < 18.26.4
    Affected: < 18.9-cert17
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-54995",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-08-28T18:53:35.935192Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-08-28T18:54:20.465Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-11-03T17:45:15.011Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00006.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "asterisk",
              "vendor": "asterisk",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 18.26.4"
                },
                {
                  "status": "affected",
                  "version": "\u003c 18.9-cert17"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 18.26.4 and 18.9-cert17, RTP UDP ports and internal resources can leak due to a lack of session termination. This could result in leaks and resource exhaustion. This issue has been patched in versions 18.26.4 and 18.9-cert17."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1286",
                  "description": "CWE-1286: Improper Validation of Syntactic Correctness of Input",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400: Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-08-28T15:08:04.468Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/asterisk/asterisk/security/advisories/GHSA-557q-795j-wfx2",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-557q-795j-wfx2"
            },
            {
              "name": "https://github.com/asterisk/asterisk/pull/1405",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/asterisk/asterisk/pull/1405"
            },
            {
              "name": "https://github.com/asterisk/asterisk/pull/1406",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/asterisk/asterisk/pull/1406"
            },
            {
              "name": "https://github.com/asterisk/asterisk/commit/0278f5bde14565c6838a6ec39bc21aee0cde56a9",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/asterisk/asterisk/commit/0278f5bde14565c6838a6ec39bc21aee0cde56a9"
            },
            {
              "name": "https://github.com/asterisk/asterisk/commit/eafcd7a451dcd007dddf324ac37dd55a4808338d",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/asterisk/asterisk/commit/eafcd7a451dcd007dddf324ac37dd55a4808338d"
            }
          ],
          "source": {
            "advisory": "GHSA-557q-795j-wfx2",
            "discovery": "UNKNOWN"
          },
          "title": "Asterisk remotely exploitable leak of RTP UDP ports and internal resources"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-54995",
        "datePublished": "2025-08-28T15:08:04.468Z",
        "dateReserved": "2025-08-04T17:34:24.420Z",
        "dateUpdated": "2025-11-03T17:45:15.011Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-49832 (GCVE-0-2025-49832)

    Vulnerability from nvd – Published: 2025-08-01 17:57 – Updated: 2025-08-01 18:29
    VLAI
    Title
    Asterisk is Vulnerable to Remote DoS and possible RCE Attacks During Memory Allocation
    Summary
    Asterisk is an open source private branch exchange and telephony toolkit. In versions up to and including 18.26.2, between 20.00.0 and 20.15.0, 20.7-cert6, 21.00.0, 22.00.0 through 22.5.0, there is a remote DoS and possible RCE condition in `asterisk/res/res_stir_shaken /verification.c` that can be exploited when an attacker can set an arbitrary Identity header, or STIR/SHAKEN is enabled, with verification set in the SIP profile associated with the endpoint to be attacked. This is fixed in versions 18.26.3, 20.7-cert6, 20.15.1, 21.10.1 and 22.5.1.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-476 - NULL Pointer Dereference
    Assigner
    References
    Impacted products
    Vendor Product Version
    asterisk asterisk Affected: < 18.26.3
    Affected: >= 20.00.0, < 20.15.1
    Affected: >= 21.00.0, < 21.10.1
    Affected: >= 22.00.0, < 22.5.1
    Affected: >= 20.7-cert6, < 20.7-cert7
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-49832",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-08-01T18:28:56.826749Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-08-01T18:29:18.330Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "asterisk",
              "vendor": "asterisk",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 18.26.3"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 20.00.0, \u003c 20.15.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 21.00.0, \u003c 21.10.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 22.00.0, \u003c 22.5.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 20.7-cert6, \u003c 20.7-cert7"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Asterisk is an open source private branch exchange and telephony toolkit. In versions up to and including 18.26.2, between 20.00.0 and 20.15.0, 20.7-cert6, 21.00.0, 22.00.0 through 22.5.0, there is a remote DoS and possible RCE condition in `asterisk/res/res_stir_shaken /verification.c` that can be exploited when an attacker can set an arbitrary Identity header, or STIR/SHAKEN is enabled, with verification set in the SIP profile associated with the endpoint to be attacked. This is fixed in versions 18.26.3, 20.7-cert6, 20.15.1, 21.10.1 and 22.5.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-476",
                  "description": "CWE-476: NULL Pointer Dereference",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-08-01T17:57:29.933Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/asterisk/asterisk/security/advisories/GHSA-mrq5-74j5-f5cr",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-mrq5-74j5-f5cr"
            }
          ],
          "source": {
            "advisory": "GHSA-mrq5-74j5-f5cr",
            "discovery": "UNKNOWN"
          },
          "title": "Asterisk is Vulnerable to Remote DoS and possible RCE Attacks During Memory Allocation"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-49832",
        "datePublished": "2025-08-01T17:57:29.933Z",
        "dateReserved": "2025-06-11T14:33:57.799Z",
        "dateUpdated": "2025-08-01T18:29:18.330Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-47780 (GCVE-0-2025-47780)

    Vulnerability from nvd – Published: 2025-05-22 16:56 – Updated: 2025-11-03 20:04
    VLAI
    Title
    cli_permissions.conf: deny option does not work for disallowing shell commands
    Summary
    Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk, trying to disallow shell commands to be run via the Asterisk command line interface (CLI) by configuring `cli_permissions.conf` (e.g. with the config line `deny=!*`) does not work which could lead to a security risk. If an administrator running an Asterisk instance relies on the `cli_permissions.conf` file to work and expects it to deny all attempts to execute shell commands, then this could lead to a security vulnerability. Versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk fix the issue.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
    Assigner
    Impacted products
    Vendor Product Version
    asterisk asterisk Affected: < 18.9-cert14
    Affected: >= 18.10, < 18.26.2
    Affected: >= 20.0, < 20.7-cert5
    Affected: >= 20.8, < 20.14.1
    Affected: >= 21.0, < 21.9.1
    Affected: >= 22.0, < 22.4.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-47780",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-22T17:24:44.875844Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-22T17:25:09.045Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-11-03T20:04:38.254Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "https://lists.debian.org/debian-lts-announce/2025/06/msg00003.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "asterisk",
              "vendor": "asterisk",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 18.9-cert14"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 18.10, \u003c 18.26.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 20.0, \u003c 20.7-cert5"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 20.8, \u003c 20.14.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 21.0, \u003c 21.9.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 22.0, \u003c 22.4.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk, trying to disallow shell commands to be run via the Asterisk command line interface (CLI) by configuring `cli_permissions.conf` (e.g. with the config line `deny=!*`) does not work which could lead to a security risk. If an administrator running an Asterisk instance relies on the `cli_permissions.conf` file to work and expects it to deny all attempts to execute shell commands, then this could lead to a security vulnerability. Versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk fix the issue."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "LOCAL",
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-22T16:56:28.937Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/asterisk/asterisk/security/advisories/GHSA-c7p6-7mvq-8jq2",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-c7p6-7mvq-8jq2"
            }
          ],
          "source": {
            "advisory": "GHSA-c7p6-7mvq-8jq2",
            "discovery": "UNKNOWN"
          },
          "title": "cli_permissions.conf: deny option does not work for disallowing shell commands"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-47780",
        "datePublished": "2025-05-22T16:56:28.937Z",
        "dateReserved": "2025-05-09T19:49:35.620Z",
        "dateUpdated": "2025-11-03T20:04:38.254Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-47779 (GCVE-0-2025-47779)

    Vulnerability from nvd – Published: 2025-05-22 16:54 – Updated: 2025-11-03 20:04
    VLAI
    Title
    Using malformed From header can forge identity with ";" or NULL in name portion
    Summary
    Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk, SIP requests of the type MESSAGE (RFC 3428) authentication do not get proper alignment. An authenticated attacker can spoof any user identity to send spam messages to the user with their authorization token. Abuse of this security issue allows authenticated attackers to send fake chat messages can be spoofed to appear to come from trusted entities. Even administrators who follow Security best practices and Security Considerations can be impacted. Therefore, abuse can lead to spam and enable social engineering, phishing and similar attacks. Versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk fix the issue.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-140 - Improper Neutralization of Delimiters
    • CWE-792 - Incomplete Filtering of One or More Instances of Special Elements
    Assigner
    Impacted products
    Vendor Product Version
    asterisk asterisk Affected: < 18.9-cert14
    Affected: >= 18.10, < 18.26.2
    Affected: >= 20.0, < 20.7-cert5
    Affected: >= 20.8, < 20.14.1
    Affected: >= 21.0, < 21.9.1
    Affected: >= 22.0, < 22.4.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-47779",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-22T17:25:58.891881Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-22T17:26:57.260Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-11-03T20:04:36.858Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "https://lists.debian.org/debian-lts-announce/2025/06/msg00003.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "asterisk",
              "vendor": "asterisk",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 18.9-cert14"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 18.10, \u003c 18.26.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 20.0, \u003c 20.7-cert5"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 20.8, \u003c 20.14.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 21.0, \u003c 21.9.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 22.0, \u003c 22.4.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk, SIP requests of the type MESSAGE (RFC 3428) authentication do not get proper alignment. An authenticated attacker can spoof any user identity to send spam messages to the user with their authorization token. Abuse of this security issue allows authenticated attackers to send fake chat messages can be spoofed to appear to come from trusted entities. Even administrators who follow Security best practices and Security Considerations can be impacted. Therefore, abuse can lead to spam and enable social engineering, phishing and similar attacks. Versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk fix the issue."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-140",
                  "description": "CWE-140: Improper Neutralization of Delimiters",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-792",
                  "description": "CWE-792: Incomplete Filtering of One or More Instances of Special Elements",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-22T16:54:26.314Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/asterisk/asterisk/security/advisories/GHSA-2grh-7mhv-fcfw",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-2grh-7mhv-fcfw"
            },
            {
              "name": "https://github.com/asterisk/asterisk/blob/master/configs/samples/pjsip.conf.sample",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/asterisk/asterisk/blob/master/configs/samples/pjsip.conf.sample"
            }
          ],
          "source": {
            "advisory": "GHSA-2grh-7mhv-fcfw",
            "discovery": "UNKNOWN"
          },
          "title": "Using malformed From header can forge identity with \";\" or NULL in name portion"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-47779",
        "datePublished": "2025-05-22T16:54:26.314Z",
        "dateReserved": "2025-05-09T19:49:35.620Z",
        "dateUpdated": "2025-11-03T20:04:36.858Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-23741 (GCVE-0-2026-23741)

    Vulnerability from cvelistv5 – Published: 2026-02-06 16:47 – Updated: 2026-02-06 17:26
    VLAI
    Title
    ast_coredumper running as root sources ast_debug_tools.conf from /etc/asterisk; potentially leading to privilege escalation
    Summary
    Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, the asterisk/contrib/scripts/ast_coredumper runs as root, as noted by the NOTES tag on line 689 of the ast_coredumper file. The script will source the contents of /etc/asterisk/ast_debug_tools.conf, which resides in a folder that is writeable by the asterisk user:group. Due to the /etc/asterisk/ast_debug_tools.conf file following bash semantics and it being loaded; an attacker with write permissions may add or modify the file such that when the root ast_coredumper is run; it would source and thereby execute arbitrary bash code found in the /etc/asterisk/ast_debug_tools.conf. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-427 - Uncontrolled Search Path Element
    Assigner
    References
    Impacted products
    Vendor Product Version
    asterisk asterisk Affected: < 23.2.2
    Affected: < 22.8.2
    Affected: < 21.12.1
    Affected: < 20.18.2
    Affected: < 20.7-cert9
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-23741",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-06T17:22:49.844752Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-06T17:26:22.216Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "asterisk",
              "vendor": "asterisk",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 23.2.2"
                },
                {
                  "status": "affected",
                  "version": "\u003c 22.8.2"
                },
                {
                  "status": "affected",
                  "version": "\u003c 21.12.1"
                },
                {
                  "status": "affected",
                  "version": "\u003c 20.18.2"
                },
                {
                  "status": "affected",
                  "version": "\u003c 20.7-cert9"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, the asterisk/contrib/scripts/ast_coredumper runs as root, as noted by the NOTES tag on line 689 of the ast_coredumper file. The script will source the contents of /etc/asterisk/ast_debug_tools.conf, which resides in a folder that is writeable by the asterisk user:group. Due to the /etc/asterisk/ast_debug_tools.conf file following bash semantics and it being loaded; an attacker with write permissions may add or modify the file such that when the root ast_coredumper is run; it would source and thereby execute arbitrary bash code found in the /etc/asterisk/ast_debug_tools.conf. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 0,
                "baseSeverity": "NONE",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-427",
                  "description": "CWE-427: Uncontrolled Search Path Element",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-06T16:47:19.611Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/asterisk/asterisk/security/advisories/GHSA-rvch-3jmx-3jf3",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-rvch-3jmx-3jf3"
            }
          ],
          "source": {
            "advisory": "GHSA-rvch-3jmx-3jf3",
            "discovery": "UNKNOWN"
          },
          "title": "ast_coredumper running as root sources ast_debug_tools.conf from /etc/asterisk; potentially leading to privilege escalation"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-23741",
        "datePublished": "2026-02-06T16:47:19.611Z",
        "dateReserved": "2026-01-15T15:45:01.958Z",
        "dateUpdated": "2026-02-06T17:26:22.216Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-23740 (GCVE-0-2026-23740)

    Vulnerability from cvelistv5 – Published: 2026-02-06 16:43 – Updated: 2026-02-06 19:11
    VLAI
    Title
    Asterisk vulnerable to potential privilege escalation
    Summary
    Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, when ast_coredumper writes its gdb init and output files to a directory that is world-writable (for example /tmp), an attacker with write permission(which is all users on a linux system) to that directory can cause root to execute arbitrary commands or overwrite arbitrary files by controlling the gdb init file and output paths. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-427 - Uncontrolled Search Path Element
    Assigner
    References
    Impacted products
    Vendor Product Version
    asterisk asterisk Affected: < 23.2.2
    Affected: < 22.8.2
    Affected: < 21.12.1
    Affected: < 20.18.2
    Affected: < 20.7-cert9
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "LOCAL",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.8,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-23740",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-06T19:11:52.277402Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-06T19:11:55.655Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "asterisk",
              "vendor": "asterisk",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 23.2.2"
                },
                {
                  "status": "affected",
                  "version": "\u003c 22.8.2"
                },
                {
                  "status": "affected",
                  "version": "\u003c 21.12.1"
                },
                {
                  "status": "affected",
                  "version": "\u003c 20.18.2"
                },
                {
                  "status": "affected",
                  "version": "\u003c 20.7-cert9"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, when ast_coredumper writes its gdb init and output files to a directory that is world-writable (for example /tmp), an attacker with write permission(which is all users on a linux system) to that directory can cause root to execute arbitrary commands or overwrite arbitrary files by controlling the gdb init file and output paths. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 0,
                "baseSeverity": "NONE",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-427",
                  "description": "CWE-427: Uncontrolled Search Path Element",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-06T16:43:52.278Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/asterisk/asterisk/security/advisories/GHSA-xpc6-x892-v83c",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-xpc6-x892-v83c"
            }
          ],
          "source": {
            "advisory": "GHSA-xpc6-x892-v83c",
            "discovery": "UNKNOWN"
          },
          "title": "Asterisk vulnerable to potential privilege escalation"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-23740",
        "datePublished": "2026-02-06T16:43:41.330Z",
        "dateReserved": "2026-01-15T15:45:01.958Z",
        "dateUpdated": "2026-02-06T19:11:55.655Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-23739 (GCVE-0-2026-23739)

    Vulnerability from cvelistv5 – Published: 2026-02-06 16:42 – Updated: 2026-02-06 17:37
    VLAI
    Title
    Asterisk xml.c uses unsafe XML_PARSE_NOENT leading to potential XXE Injection
    Summary
    Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, the ast_xml_open() function in xml.c parses XML documents using libxml with unsafe parsing options that enable entity expansion and XInclude processing. Specifically, it invokes xmlReadFile() with the XML_PARSE_NOENT flag and later processes XIncludes via xmlXIncludeProcess().If any untrusted or user-supplied XML file is passed to this function, it can allow an attacker to trigger XML External Entity (XXE) or XInclude-based local file disclosure, potentially exposing sensitive files from the host system. This can also be triggered in other cases in which the user is able to supply input in xml format that triggers the asterisk process to parse it. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-611 - Improper Restriction of XML External Entity Reference
    Assigner
    References
    Impacted products
    Vendor Product Version
    asterisk asterisk Affected: < 23.2.2
    Affected: < 22.8.2
    Affected: < 21.12.1
    Affected: < 20.18.2
    Affected: < 20.7-cert9
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-23739",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-06T17:36:34.440710Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-06T17:37:22.223Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "asterisk",
              "vendor": "asterisk",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 23.2.2"
                },
                {
                  "status": "affected",
                  "version": "\u003c 22.8.2"
                },
                {
                  "status": "affected",
                  "version": "\u003c 21.12.1"
                },
                {
                  "status": "affected",
                  "version": "\u003c 20.18.2"
                },
                {
                  "status": "affected",
                  "version": "\u003c 20.7-cert9"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, the ast_xml_open() function in xml.c parses XML documents using libxml with unsafe parsing options that enable entity expansion and XInclude processing. Specifically, it invokes xmlReadFile() with the XML_PARSE_NOENT flag and later processes XIncludes via xmlXIncludeProcess().If any untrusted or user-supplied XML file is passed to this function, it can allow an attacker to trigger XML External Entity (XXE) or XInclude-based local file disclosure, potentially exposing sensitive files from the host system. This can also be triggered in other cases in which the user is able to supply input in xml format that triggers the asterisk process to parse it. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 2,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-611",
                  "description": "CWE-611: Improper Restriction of XML External Entity Reference",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-06T16:42:25.816Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/asterisk/asterisk/security/advisories/GHSA-85x7-54wr-vh42",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-85x7-54wr-vh42"
            }
          ],
          "source": {
            "advisory": "GHSA-85x7-54wr-vh42",
            "discovery": "UNKNOWN"
          },
          "title": "Asterisk xml.c uses unsafe XML_PARSE_NOENT leading to potential XXE Injection"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-23739",
        "datePublished": "2026-02-06T16:42:25.816Z",
        "dateReserved": "2026-01-15T15:45:01.957Z",
        "dateUpdated": "2026-02-06T17:37:22.223Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-23738 (GCVE-0-2026-23738)

    Vulnerability from cvelistv5 – Published: 2026-02-06 16:41 – Updated: 2026-02-06 17:44
    VLAI
    Title
    The Asterisk embedded web server 's /httpstatus page echos user supplied values(cookie and query string) without sanitization
    Summary
    Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, user supplied/control values for Cookies and any GET variable query Parameter are directly interpolated into the HTML of the page using ast_str_append. The endpoint at GET /httpstatus is the potential vulnerable endpoint relating to asterisk/main /http.c. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    asterisk asterisk Affected: < 23.2.2
    Affected: < 22.8.2
    Affected: < 21.12.1
    Affected: < 20.18.2
    Affected: < 20.7-cert9
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-23738",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-06T17:43:40.418371Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-06T17:44:20.480Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "asterisk",
              "vendor": "asterisk",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 23.2.2"
                },
                {
                  "status": "affected",
                  "version": "\u003c 22.8.2"
                },
                {
                  "status": "affected",
                  "version": "\u003c 21.12.1"
                },
                {
                  "status": "affected",
                  "version": "\u003c 20.18.2"
                },
                {
                  "status": "affected",
                  "version": "\u003c 20.7-cert9"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, user supplied/control values for Cookies and any GET variable query Parameter are directly interpolated into the HTML of the page using ast_str_append. The endpoint at GET /httpstatus is the potential vulnerable endpoint relating to asterisk/main /http.c. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.5,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-06T16:41:43.769Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/asterisk/asterisk/security/advisories/GHSA-v6hp-wh3r-cwxh",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-v6hp-wh3r-cwxh"
            }
          ],
          "source": {
            "advisory": "GHSA-v6hp-wh3r-cwxh",
            "discovery": "UNKNOWN"
          },
          "title": "The Asterisk embedded web server \u0027s /httpstatus page echos user supplied values(cookie and query string) without sanitization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-23738",
        "datePublished": "2026-02-06T16:41:43.769Z",
        "dateReserved": "2026-01-15T15:45:01.957Z",
        "dateUpdated": "2026-02-06T17:44:20.480Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-1131 (GCVE-0-2025-1131)

    Vulnerability from cvelistv5 – Published: 2025-09-23 04:31 – Updated: 2026-02-26 17:48
    VLAI
    Title
    Asterisk Unsafe Shell Sourcing in safe_asterisk Leads to Local Privilege Escalation
    Summary
    A local privilege escalation vulnerability exists in the safe_asterisk script included with the Asterisk toolkit package. When Asterisk is started via this script (common in SysV init or FreePBX environments), it sources all .sh files located in /etc/asterisk/startup.d/ as root, without validating ownership or permissions. Non-root users with legitimate write access to /etc/asterisk can exploit this behaviour by placing malicious scripts in the startup.d directory, which will then execute with root privileges upon service restart.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-427 - Uncontrolled Search Path Element
    Assigner
    Impacted products
    Vendor Product Version
    Asterisk Asterisk Affected: Asterisk <=18.26.2 (custom)
    Affected: Asterisk <= 20.15.0 (custom)
    Affected: Asterisk <= 21.10.0 (custom)
    Affected: Asterisk <= 22.5.0 (custom)
    Create a notification for this product.
    Date Public
    2025-08-01 05:23
    Credits
    Abdul Mhanni
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-1131",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-24T03:55:15.207908Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-26T17:48:19.381Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-11-03T17:31:42.189Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00006.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "safe_asterisk /etc/asterisk/startup.d"
              ],
              "platforms": [
                "Linux",
                "MacOS"
              ],
              "product": "Asterisk",
              "programFiles": [
                "safe_asterisk"
              ],
              "repo": "https://github.com/asterisk/asterisk",
              "vendor": "Asterisk",
              "versions": [
                {
                  "status": "affected",
                  "version": "Asterisk \u003c=18.26.2",
                  "versionType": "custom"
                },
                {
                  "status": "affected",
                  "version": "Asterisk \u003c= 20.15.0",
                  "versionType": "custom"
                },
                {
                  "status": "affected",
                  "version": "Asterisk \u003c= 21.10.0",
                  "versionType": "custom"
                },
                {
                  "status": "affected",
                  "version": "Asterisk \u003c= 22.5.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Abdul Mhanni"
            }
          ],
          "datePublic": "2025-08-01T05:23:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eA local privilege escalation vulnerability exists in the \u003ccode\u003esafe_asterisk\u003c/code\u003e script included with the Asterisk toolkit package. When Asterisk is started via this script (common in SysV init or FreePBX environments), it sources all \u003ccode\u003e.sh\u003c/code\u003e files located in \u003ccode\u003e/etc/asterisk/startup.d/\u003c/code\u003e \u003cstrong\u003eas root\u003c/strong\u003e, without validating ownership or permissions.\u003c/p\u003e\n\u003cp\u003eNon-root users with legitimate write access to \u003ccode\u003e/etc/asterisk\u003c/code\u003e can exploit this behaviour by placing malicious scripts in the \u003ccode\u003estartup.d\u003c/code\u003e directory, which will then execute with root privileges upon service restart.\u003c/p\u003e"
                }
              ],
              "value": "A local privilege escalation vulnerability exists in the safe_asterisk script included with the Asterisk toolkit package. When Asterisk is started via this script (common in SysV init or FreePBX environments), it sources all .sh files located in /etc/asterisk/startup.d/ as root, without validating ownership or permissions.\n\n\nNon-root users with legitimate write access to /etc/asterisk can exploit this behaviour by placing malicious scripts in the startup.d directory, which will then execute with root privileges upon service restart."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-233",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-233 Privilege Escalation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "LOCAL",
                "baseScore": 7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "LOW",
                "providerUrgency": "AMBER",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "PASSIVE",
                "valueDensity": "CONCENTRATED",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:N/V:C/RE:H/U:Amber",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "HIGH"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-427",
                  "description": "CWE-427 Uncontrolled Search Path Element",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-23T04:31:02.784Z",
            "orgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
            "shortName": "Gridware"
          },
          "references": [
            {
              "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-v9q8-9j8m-5xwp"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Asterisk Unsafe Shell Sourcing in safe_asterisk Leads to Local Privilege Escalation",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
        "assignerShortName": "Gridware",
        "cveId": "CVE-2025-1131",
        "datePublished": "2025-09-23T04:31:02.784Z",
        "dateReserved": "2025-02-08T04:11:43.201Z",
        "dateUpdated": "2026-02-26T17:48:19.381Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-57767 (GCVE-0-2025-57767)

    Vulnerability from cvelistv5 – Published: 2025-08-28 15:33 – Updated: 2025-08-28 17:12
    VLAI
    Title
    Asterisk can crash from a specifically malformed Authorization header in an incoming SIP request
    Summary
    Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.15.2, 21.10.2, and 22.5.2, if a SIP request is received with an Authorization header that contains a realm that wasn't in a previous 401 response's WWW-Authenticate header, or an Authorization header with an incorrect realm was received without a previous 401 response being sent, the get_authorization_header() function in res_pjsip_authenticator_digest will return a NULL. This wasn't being checked before attempting to get the digest algorithm from the header which causes a SEGV. This issue has been patched in versions 20.15.2, 21.10.2, and 22.5.2. There are no workarounds.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-253 - Incorrect Check of Function Return Value
    Assigner
    Impacted products
    Vendor Product Version
    asterisk asterisk Affected: < 22.5.2
    Affected: < 21.10.2
    Affected: < 20.15.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-57767",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-08-28T17:12:27.086945Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-08-28T17:12:35.539Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "asterisk",
              "vendor": "asterisk",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 22.5.2"
                },
                {
                  "status": "affected",
                  "version": "\u003c 21.10.2"
                },
                {
                  "status": "affected",
                  "version": "\u003c 20.15.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.15.2, 21.10.2, and 22.5.2, if a SIP request is received with an Authorization header that contains a realm that wasn\u0027t in a previous 401 response\u0027s WWW-Authenticate header, or an Authorization header with an incorrect realm was received without a previous 401 response being sent, the get_authorization_header() function in res_pjsip_authenticator_digest will return a NULL. This wasn\u0027t being checked before attempting to get the digest algorithm from the header which causes a SEGV. This issue has been patched in versions 20.15.2, 21.10.2, and 22.5.2. There are no workarounds."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-253",
                  "description": "CWE-253: Incorrect Check of Function Return Value",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-08-28T15:33:00.087Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/asterisk/asterisk/security/advisories/GHSA-64qc-9x89-rx5j",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-64qc-9x89-rx5j"
            },
            {
              "name": "https://github.com/asterisk/asterisk/pull/1407",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/asterisk/asterisk/pull/1407"
            },
            {
              "name": "https://github.com/asterisk/asterisk/commit/02993717b08f899d4aca9888062f35dfb198584f",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/asterisk/asterisk/commit/02993717b08f899d4aca9888062f35dfb198584f"
            }
          ],
          "source": {
            "advisory": "GHSA-64qc-9x89-rx5j",
            "discovery": "UNKNOWN"
          },
          "title": "Asterisk can crash from a specifically malformed Authorization header in an incoming SIP request"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-57767",
        "datePublished": "2025-08-28T15:33:00.087Z",
        "dateReserved": "2025-08-19T15:16:22.917Z",
        "dateUpdated": "2025-08-28T17:12:35.539Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-54995 (GCVE-0-2025-54995)

    Vulnerability from cvelistv5 – Published: 2025-08-28 15:08 – Updated: 2025-11-03 17:45
    VLAI
    Title
    Asterisk remotely exploitable leak of RTP UDP ports and internal resources
    Summary
    Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 18.26.4 and 18.9-cert17, RTP UDP ports and internal resources can leak due to a lack of session termination. This could result in leaks and resource exhaustion. This issue has been patched in versions 18.26.4 and 18.9-cert17.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1286 - Improper Validation of Syntactic Correctness of Input
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    Impacted products
    Vendor Product Version
    asterisk asterisk Affected: < 18.26.4
    Affected: < 18.9-cert17
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-54995",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-08-28T18:53:35.935192Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-08-28T18:54:20.465Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-11-03T17:45:15.011Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00006.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "asterisk",
              "vendor": "asterisk",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 18.26.4"
                },
                {
                  "status": "affected",
                  "version": "\u003c 18.9-cert17"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 18.26.4 and 18.9-cert17, RTP UDP ports and internal resources can leak due to a lack of session termination. This could result in leaks and resource exhaustion. This issue has been patched in versions 18.26.4 and 18.9-cert17."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1286",
                  "description": "CWE-1286: Improper Validation of Syntactic Correctness of Input",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400: Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-08-28T15:08:04.468Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/asterisk/asterisk/security/advisories/GHSA-557q-795j-wfx2",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-557q-795j-wfx2"
            },
            {
              "name": "https://github.com/asterisk/asterisk/pull/1405",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/asterisk/asterisk/pull/1405"
            },
            {
              "name": "https://github.com/asterisk/asterisk/pull/1406",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/asterisk/asterisk/pull/1406"
            },
            {
              "name": "https://github.com/asterisk/asterisk/commit/0278f5bde14565c6838a6ec39bc21aee0cde56a9",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/asterisk/asterisk/commit/0278f5bde14565c6838a6ec39bc21aee0cde56a9"
            },
            {
              "name": "https://github.com/asterisk/asterisk/commit/eafcd7a451dcd007dddf324ac37dd55a4808338d",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/asterisk/asterisk/commit/eafcd7a451dcd007dddf324ac37dd55a4808338d"
            }
          ],
          "source": {
            "advisory": "GHSA-557q-795j-wfx2",
            "discovery": "UNKNOWN"
          },
          "title": "Asterisk remotely exploitable leak of RTP UDP ports and internal resources"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-54995",
        "datePublished": "2025-08-28T15:08:04.468Z",
        "dateReserved": "2025-08-04T17:34:24.420Z",
        "dateUpdated": "2025-11-03T17:45:15.011Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-49832 (GCVE-0-2025-49832)

    Vulnerability from cvelistv5 – Published: 2025-08-01 17:57 – Updated: 2025-08-01 18:29
    VLAI
    Title
    Asterisk is Vulnerable to Remote DoS and possible RCE Attacks During Memory Allocation
    Summary
    Asterisk is an open source private branch exchange and telephony toolkit. In versions up to and including 18.26.2, between 20.00.0 and 20.15.0, 20.7-cert6, 21.00.0, 22.00.0 through 22.5.0, there is a remote DoS and possible RCE condition in `asterisk/res/res_stir_shaken /verification.c` that can be exploited when an attacker can set an arbitrary Identity header, or STIR/SHAKEN is enabled, with verification set in the SIP profile associated with the endpoint to be attacked. This is fixed in versions 18.26.3, 20.7-cert6, 20.15.1, 21.10.1 and 22.5.1.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-476 - NULL Pointer Dereference
    Assigner
    References
    Impacted products
    Vendor Product Version
    asterisk asterisk Affected: < 18.26.3
    Affected: >= 20.00.0, < 20.15.1
    Affected: >= 21.00.0, < 21.10.1
    Affected: >= 22.00.0, < 22.5.1
    Affected: >= 20.7-cert6, < 20.7-cert7
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-49832",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-08-01T18:28:56.826749Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-08-01T18:29:18.330Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "asterisk",
              "vendor": "asterisk",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 18.26.3"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 20.00.0, \u003c 20.15.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 21.00.0, \u003c 21.10.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 22.00.0, \u003c 22.5.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 20.7-cert6, \u003c 20.7-cert7"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Asterisk is an open source private branch exchange and telephony toolkit. In versions up to and including 18.26.2, between 20.00.0 and 20.15.0, 20.7-cert6, 21.00.0, 22.00.0 through 22.5.0, there is a remote DoS and possible RCE condition in `asterisk/res/res_stir_shaken /verification.c` that can be exploited when an attacker can set an arbitrary Identity header, or STIR/SHAKEN is enabled, with verification set in the SIP profile associated with the endpoint to be attacked. This is fixed in versions 18.26.3, 20.7-cert6, 20.15.1, 21.10.1 and 22.5.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-476",
                  "description": "CWE-476: NULL Pointer Dereference",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-08-01T17:57:29.933Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/asterisk/asterisk/security/advisories/GHSA-mrq5-74j5-f5cr",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-mrq5-74j5-f5cr"
            }
          ],
          "source": {
            "advisory": "GHSA-mrq5-74j5-f5cr",
            "discovery": "UNKNOWN"
          },
          "title": "Asterisk is Vulnerable to Remote DoS and possible RCE Attacks During Memory Allocation"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-49832",
        "datePublished": "2025-08-01T17:57:29.933Z",
        "dateReserved": "2025-06-11T14:33:57.799Z",
        "dateUpdated": "2025-08-01T18:29:18.330Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-47780 (GCVE-0-2025-47780)

    Vulnerability from cvelistv5 – Published: 2025-05-22 16:56 – Updated: 2025-11-03 20:04
    VLAI
    Title
    cli_permissions.conf: deny option does not work for disallowing shell commands
    Summary
    Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk, trying to disallow shell commands to be run via the Asterisk command line interface (CLI) by configuring `cli_permissions.conf` (e.g. with the config line `deny=!*`) does not work which could lead to a security risk. If an administrator running an Asterisk instance relies on the `cli_permissions.conf` file to work and expects it to deny all attempts to execute shell commands, then this could lead to a security vulnerability. Versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk fix the issue.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
    Assigner
    Impacted products
    Vendor Product Version
    asterisk asterisk Affected: < 18.9-cert14
    Affected: >= 18.10, < 18.26.2
    Affected: >= 20.0, < 20.7-cert5
    Affected: >= 20.8, < 20.14.1
    Affected: >= 21.0, < 21.9.1
    Affected: >= 22.0, < 22.4.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-47780",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-22T17:24:44.875844Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-22T17:25:09.045Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-11-03T20:04:38.254Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "https://lists.debian.org/debian-lts-announce/2025/06/msg00003.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "asterisk",
              "vendor": "asterisk",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 18.9-cert14"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 18.10, \u003c 18.26.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 20.0, \u003c 20.7-cert5"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 20.8, \u003c 20.14.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 21.0, \u003c 21.9.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 22.0, \u003c 22.4.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk, trying to disallow shell commands to be run via the Asterisk command line interface (CLI) by configuring `cli_permissions.conf` (e.g. with the config line `deny=!*`) does not work which could lead to a security risk. If an administrator running an Asterisk instance relies on the `cli_permissions.conf` file to work and expects it to deny all attempts to execute shell commands, then this could lead to a security vulnerability. Versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk fix the issue."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "LOCAL",
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-22T16:56:28.937Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/asterisk/asterisk/security/advisories/GHSA-c7p6-7mvq-8jq2",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-c7p6-7mvq-8jq2"
            }
          ],
          "source": {
            "advisory": "GHSA-c7p6-7mvq-8jq2",
            "discovery": "UNKNOWN"
          },
          "title": "cli_permissions.conf: deny option does not work for disallowing shell commands"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-47780",
        "datePublished": "2025-05-22T16:56:28.937Z",
        "dateReserved": "2025-05-09T19:49:35.620Z",
        "dateUpdated": "2025-11-03T20:04:38.254Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-47779 (GCVE-0-2025-47779)

    Vulnerability from cvelistv5 – Published: 2025-05-22 16:54 – Updated: 2025-11-03 20:04
    VLAI
    Title
    Using malformed From header can forge identity with ";" or NULL in name portion
    Summary
    Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk, SIP requests of the type MESSAGE (RFC 3428) authentication do not get proper alignment. An authenticated attacker can spoof any user identity to send spam messages to the user with their authorization token. Abuse of this security issue allows authenticated attackers to send fake chat messages can be spoofed to appear to come from trusted entities. Even administrators who follow Security best practices and Security Considerations can be impacted. Therefore, abuse can lead to spam and enable social engineering, phishing and similar attacks. Versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk fix the issue.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-140 - Improper Neutralization of Delimiters
    • CWE-792 - Incomplete Filtering of One or More Instances of Special Elements
    Assigner
    Impacted products
    Vendor Product Version
    asterisk asterisk Affected: < 18.9-cert14
    Affected: >= 18.10, < 18.26.2
    Affected: >= 20.0, < 20.7-cert5
    Affected: >= 20.8, < 20.14.1
    Affected: >= 21.0, < 21.9.1
    Affected: >= 22.0, < 22.4.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-47779",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-22T17:25:58.891881Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-22T17:26:57.260Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-11-03T20:04:36.858Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "https://lists.debian.org/debian-lts-announce/2025/06/msg00003.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "asterisk",
              "vendor": "asterisk",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 18.9-cert14"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 18.10, \u003c 18.26.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 20.0, \u003c 20.7-cert5"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 20.8, \u003c 20.14.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 21.0, \u003c 21.9.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 22.0, \u003c 22.4.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk, SIP requests of the type MESSAGE (RFC 3428) authentication do not get proper alignment. An authenticated attacker can spoof any user identity to send spam messages to the user with their authorization token. Abuse of this security issue allows authenticated attackers to send fake chat messages can be spoofed to appear to come from trusted entities. Even administrators who follow Security best practices and Security Considerations can be impacted. Therefore, abuse can lead to spam and enable social engineering, phishing and similar attacks. Versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk fix the issue."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-140",
                  "description": "CWE-140: Improper Neutralization of Delimiters",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-792",
                  "description": "CWE-792: Incomplete Filtering of One or More Instances of Special Elements",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-22T16:54:26.314Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/asterisk/asterisk/security/advisories/GHSA-2grh-7mhv-fcfw",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-2grh-7mhv-fcfw"
            },
            {
              "name": "https://github.com/asterisk/asterisk/blob/master/configs/samples/pjsip.conf.sample",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/asterisk/asterisk/blob/master/configs/samples/pjsip.conf.sample"
            }
          ],
          "source": {
            "advisory": "GHSA-2grh-7mhv-fcfw",
            "discovery": "UNKNOWN"
          },
          "title": "Using malformed From header can forge identity with \";\" or NULL in name portion"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-47779",
        "datePublished": "2025-05-22T16:54:26.314Z",
        "dateReserved": "2025-05-09T19:49:35.620Z",
        "dateUpdated": "2025-11-03T20:04:36.858Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }