cvelistv5 - cve-2025-47779

CVE-2025-47779 (GCVE-0-2025-47779)

Vulnerability from cvelistv5 – Published: 2025-05-22 16:54 – Updated: 2025-11-03 20:04

Summary

Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk, SIP requests of the type MESSAGE (RFC 3428) authentication do not get proper alignment. An authenticated attacker can spoof any user identity to send spam messages to the user with their authorization token. Abuse of this security issue allows authenticated attackers to send fake chat messages can be spoofed to appear to come from trusted entities. Even administrators who follow Security best practices and Security Considerations can be impacted. Therefore, abuse can lead to spam and enable social engineering, phishing and similar attacks. Versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk fix the issue.

Severity ?

7.7 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

CWE

CWE-140 - Improper Neutralization of Delimiters
CWE-792 - Incomplete Filtering of One or More Instances of Special Elements

Assigner

GitHub_M

References

URL

Tags

	https://github.com/asterisk/asterisk/security/adv…	x_refsource_CONFIRM
	https://github.com/asterisk/asterisk/blob/master/…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	asterisk	asterisk	Affected: < 18.9-cert14 Affected: >= 18.10, < 18.26.2 Affected: >= 20.0, < 20.7-cert5 Affected: >= 20.8, < 20.14.1 Affected: >= 21.0, < 21.9.1 Affected: >= 22.0, < 22.4.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-47779",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-22T17:25:58.891881Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-22T17:26:57.260Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:04:36.858Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/06/msg00003.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "asterisk",
          "vendor": "asterisk",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 18.9-cert14"
            },
            {
              "status": "affected",
              "version": "\u003e= 18.10, \u003c 18.26.2"
            },
            {
              "status": "affected",
              "version": "\u003e= 20.0, \u003c 20.7-cert5"
            },
            {
              "status": "affected",
              "version": "\u003e= 20.8, \u003c 20.14.1"
            },
            {
              "status": "affected",
              "version": "\u003e= 21.0, \u003c 21.9.1"
            },
            {
              "status": "affected",
              "version": "\u003e= 22.0, \u003c 22.4.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk, SIP requests of the type MESSAGE (RFC 3428) authentication do not get proper alignment. An authenticated attacker can spoof any user identity to send spam messages to the user with their authorization token. Abuse of this security issue allows authenticated attackers to send fake chat messages can be spoofed to appear to come from trusted entities. Even administrators who follow Security best practices and Security Considerations can be impacted. Therefore, abuse can lead to spam and enable social engineering, phishing and similar attacks. Versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk fix the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-140",
              "description": "CWE-140: Improper Neutralization of Delimiters",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-792",
              "description": "CWE-792: Incomplete Filtering of One or More Instances of Special Elements",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-22T16:54:26.314Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/asterisk/asterisk/security/advisories/GHSA-2grh-7mhv-fcfw",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-2grh-7mhv-fcfw"
        },
        {
          "name": "https://github.com/asterisk/asterisk/blob/master/configs/samples/pjsip.conf.sample",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/asterisk/asterisk/blob/master/configs/samples/pjsip.conf.sample"
        }
      ],
      "source": {
        "advisory": "GHSA-2grh-7mhv-fcfw",
        "discovery": "UNKNOWN"
      },
      "title": "Using malformed From header can forge identity with \";\" or NULL in name portion"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-47779",
    "datePublished": "2025-05-22T16:54:26.314Z",
    "dateReserved": "2025-05-09T19:49:35.620Z",
    "dateUpdated": "2025-11-03T20:04:36.858Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-47779\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-05-22T17:15:24.730\",\"lastModified\":\"2025-11-03T20:19:05.613\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk, SIP requests of the type MESSAGE (RFC 3428) authentication do not get proper alignment. An authenticated attacker can spoof any user identity to send spam messages to the user with their authorization token. Abuse of this security issue allows authenticated attackers to send fake chat messages can be spoofed to appear to come from trusted entities. Even administrators who follow Security best practices and Security Considerations can be impacted. Therefore, abuse can lead to spam and enable social engineering, phishing and similar attacks. Versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk fix the issue.\"},{\"lang\":\"es\",\"value\":\"Asterisk es una centralita privada (PBX) de c\u00f3digo abierto. En versiones anteriores a las 18.26.2, 20.14.1, 21.9.1 y 22.4.1 de Asterisk, y a las versiones 18.9-cert14 y 20.7-cert5 de Asterisk certificado, las solicitudes SIP con autenticaci\u00f3n de tipo MESSAGE (RFC 3428) no se alineaban correctamente. Un atacante autenticado puede suplantar la identidad de cualquier usuario para enviarle spam con su token de autorizaci\u00f3n. El abuso de este problema de seguridad permite a los atacantes autenticados enviar mensajes de chat falsos, que pueden falsificarse para que parezcan provenir de entidades de confianza. Incluso los administradores que siguen las mejores pr\u00e1cticas y consideraciones de seguridad pueden verse afectados. Por lo tanto, el abuso puede generar spam y facilitar la ingenier\u00eda social, el phishing y ataques similares. Las versiones 18.26.2, 20.14.1, 21.9.1 y 22.4.1 de Asterisk y las versiones 18.9-cert14 y 20.7-cert5 de certified-asterisk solucionan el problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N\",\"baseScore\":7.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.1,\"impactScore\":4.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-140\"},{\"lang\":\"en\",\"value\":\"CWE-792\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"18.26.2\",\"matchCriteriaId\":\"9D8ABBB7-3EF6-4F87-B4E5-448B5F41E11D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"20.0.0\",\"versionEndExcluding\":\"20.14.1\",\"matchCriteriaId\":\"8CB4CCCD-14C6-42B6-954F-D755A4A8E421\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"21.0.0\",\"versionEndExcluding\":\"21.9.1\",\"matchCriteriaId\":\"07A86DB1-0C3F-4AE6-B185-59430869B3F9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"22.0.0\",\"versionEndExcluding\":\"22.4.1\",\"matchCriteriaId\":\"528ED48E-C83F-4076-B672-E8AC54BB5AFC\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sangoma:certified_asterisk:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"18.9\",\"matchCriteriaId\":\"B71A493F-F47B-4F19-AD21-3800DE63DF5A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sangoma:certified_asterisk:18.9:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"2A7FA28D-33B7-4F20-8235-E66C21019875\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sangoma:certified_asterisk:18.9:cert1:*:*:*:*:*:*\",\"matchCriteriaId\":\"79EEB5E5-B79E-454B-8DCD-3272BA337A9E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sangoma:certified_asterisk:18.9:cert1-rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"AD3BBA39-95EC-462F-8F5A-15E8D07CC804\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sangoma:certified_asterisk:18.9:cert10:*:*:*:*:*:*\",\"matchCriteriaId\":\"D6BF553C-020D-4F99-9995-CA4A4383B2DD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sangoma:certified_asterisk:18.9:cert11:*:*:*:*:*:*\",\"matchCriteriaId\":\"E3069F1F-DDE8-4E9A-B4FF-64B7B11EEFCB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sangoma:certified_asterisk:18.9:cert12:*:*:*:*:*:*\",\"matchCriteriaId\":\"890205E3-973D-422E-940A-E9190BA37EFD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sangoma:certified_asterisk:18.9:cert13:*:*:*:*:*:*\",\"matchCriteriaId\":\"23100176-0528-448D-B2FA-D3B9B31A249D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sangoma:certified_asterisk:18.9:cert2:*:*:*:*:*:*\",\"matchCriteriaId\":\"892BAE5D-A64E-4FE0-9A99-8C07F342A042\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sangoma:certified_asterisk:18.9:cert3:*:*:*:*:*:*\",\"matchCriteriaId\":\"1A716A45-7075-4CA6-9EF5-2DD088248A5C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sangoma:certified_asterisk:18.9:cert4:*:*:*:*:*:*\",\"matchCriteriaId\":\"80EFA05B-E22D-49CE-BDD6-5C7123F1C12B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sangoma:certified_asterisk:18.9:cert5:*:*:*:*:*:*\",\"matchCriteriaId\":\"20FD475F-2B46-47C9-B535-1561E29CB7A1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sangoma:certified_asterisk:18.9:cert6:*:*:*:*:*:*\",\"matchCriteriaId\":\"7238FCD9-9F40-44BA-A170-69D4857AA1CE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sangoma:certified_asterisk:18.9:cert7:*:*:*:*:*:*\",\"matchCriteriaId\":\"F657B046-6C83-48F9-A0B1-C63CDA7FD61D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sangoma:certified_asterisk:18.9:cert8:*:*:*:*:*:*\",\"matchCriteriaId\":\"6D87C7DE-23EA-4532-A2E4-9BF82ADE12DC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sangoma:certified_asterisk:18.9:cert8-rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"B79A5B46-5CA3-445E-BE47-1711DCD038A1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sangoma:certified_asterisk:18.9:cert8-rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"D600B37E-94EA-48DE-B48E-871B3A983721\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sangoma:certified_asterisk:18.9:cert9:*:*:*:*:*:*\",\"matchCriteriaId\":\"2FC3A00E-D1C6-467F-8FE7-E8437A527B3C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sangoma:certified_asterisk:20.7:cert1:*:*:*:*:*:*\",\"matchCriteriaId\":\"79225576-AF7C-4099-9624-C53578A7417F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sangoma:certified_asterisk:20.7:cert1-rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"29323E6E-12C9-46C7-B29C-25E0CD537A8E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sangoma:certified_asterisk:20.7:cert1-rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"8E563972-78C0-40A0-83EA-6A3BA3D71946\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sangoma:certified_asterisk:20.7:cert2:*:*:*:*:*:*\",\"matchCriteriaId\":\"64209621-D458-432A-B0E3-C8D0B6698574\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sangoma:certified_asterisk:20.7:cert3:*:*:*:*:*:*\",\"matchCriteriaId\":\"B148158A-8354-41C2-A44C-2C0DAABAD217\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sangoma:certified_asterisk:20.7:cert4:*:*:*:*:*:*\",\"matchCriteriaId\":\"3D4D96E8-1F01-42B8-9181-67DEB12D9DD2\"}]}]}],\"references\":[{\"url\":\"https://github.com/asterisk/asterisk/blob/master/configs/samples/pjsip.conf.sample\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/asterisk/asterisk/security/advisories/GHSA-2grh-7mhv-fcfw\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2025/06/msg00003.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://lists.debian.org/debian-lts-announce/2025/06/msg00003.html\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-11-03T20:04:36.858Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-47779\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-05-22T17:25:58.891881Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-05-22T17:26:51.712Z\"}}], \"cna\": {\"title\": \"Using malformed From header can forge identity with \\\";\\\" or NULL in name portion\", \"source\": {\"advisory\": \"GHSA-2grh-7mhv-fcfw\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 7.7, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"asterisk\", \"product\": \"asterisk\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 18.9-cert14\"}, {\"status\": \"affected\", \"version\": \"\u003e= 18.10, \u003c 18.26.2\"}, {\"status\": \"affected\", \"version\": \"\u003e= 20.0, \u003c 20.7-cert5\"}, {\"status\": \"affected\", \"version\": \"\u003e= 20.8, \u003c 20.14.1\"}, {\"status\": \"affected\", \"version\": \"\u003e= 21.0, \u003c 21.9.1\"}, {\"status\": \"affected\", \"version\": \"\u003e= 22.0, \u003c 22.4.1\"}]}], \"references\": [{\"url\": \"https://github.com/asterisk/asterisk/security/advisories/GHSA-2grh-7mhv-fcfw\", \"name\": \"https://github.com/asterisk/asterisk/security/advisories/GHSA-2grh-7mhv-fcfw\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/asterisk/asterisk/blob/master/configs/samples/pjsip.conf.sample\", \"name\": \"https://github.com/asterisk/asterisk/blob/master/configs/samples/pjsip.conf.sample\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk, SIP requests of the type MESSAGE (RFC 3428) authentication do not get proper alignment. An authenticated attacker can spoof any user identity to send spam messages to the user with their authorization token. Abuse of this security issue allows authenticated attackers to send fake chat messages can be spoofed to appear to come from trusted entities. Even administrators who follow Security best practices and Security Considerations can be impacted. Therefore, abuse can lead to spam and enable social engineering, phishing and similar attacks. Versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk fix the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-140\", \"description\": \"CWE-140: Improper Neutralization of Delimiters\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-792\", \"description\": \"CWE-792: Incomplete Filtering of One or More Instances of Special Elements\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-05-22T16:54:26.314Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-47779\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-03T20:04:36.858Z\", \"dateReserved\": \"2025-05-09T19:49:35.620Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-05-22T16:54:26.314Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

CERTFR-2025-AVI-0446

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans Asterisk. Elles permettent à un attaquant de provoquer un contournement de la politique de sécurité.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
Asterisk	Asterisk	asterisk versions 18.26.x antérieures à 18.26.2
Asterisk	Asterisk	asterisk versions 21.9.x antérieures à 21.9.1
Asterisk	Asterisk	asterisk versions 20.7-certx antérieures à 20.7-cert5
Asterisk	Asterisk	asterisk versions 20.14.x antérieures à 20.14.1
Asterisk	Asterisk	asterisk versions 22.4.x antérieures à 22.4.1
Asterisk	Asterisk	asterisk versions 18.9-certx antérieures à 18.9-cert14

References

Title

Publication Time

Tags

Bulletin de sécurité Asterisk GHSA-c7p6-7mvq-8jq2	2025-05-22	vendor-advisory
Bulletin de sécurité Asterisk GHSA-2grh-7mhv-fcfw	2025-05-22	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "asterisk versions 18.26.x ant\u00e9rieures \u00e0 18.26.2",
      "product": {
        "name": "Asterisk",
        "vendor": {
          "name": "Asterisk",
          "scada": false
        }
      }
    },
    {
      "description": "asterisk versions 21.9.x ant\u00e9rieures \u00e0 21.9.1",
      "product": {
        "name": "Asterisk",
        "vendor": {
          "name": "Asterisk",
          "scada": false
        }
      }
    },
    {
      "description": "asterisk versions 20.7-certx ant\u00e9rieures \u00e0 20.7-cert5",
      "product": {
        "name": "Asterisk",
        "vendor": {
          "name": "Asterisk",
          "scada": false
        }
      }
    },
    {
      "description": "asterisk versions 20.14.x ant\u00e9rieures \u00e0 20.14.1",
      "product": {
        "name": "Asterisk",
        "vendor": {
          "name": "Asterisk",
          "scada": false
        }
      }
    },
    {
      "description": "asterisk versions 22.4.x ant\u00e9rieures \u00e0 22.4.1",
      "product": {
        "name": "Asterisk",
        "vendor": {
          "name": "Asterisk",
          "scada": false
        }
      }
    },
    {
      "description": "asterisk versions 18.9-certx ant\u00e9rieures \u00e0 18.9-cert14",
      "product": {
        "name": "Asterisk",
        "vendor": {
          "name": "Asterisk",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2025-47780",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-47780"
    },
    {
      "name": "CVE-2025-47779",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-47779"
    }
  ],
  "links": [],
  "reference": "CERTFR-2025-AVI-0446",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2025-05-23T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Asterisk. Elles permettent \u00e0 un attaquant de provoquer un contournement de la politique de s\u00e9curit\u00e9.",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Asterisk",
  "vendor_advisories": [
    {
      "published_at": "2025-05-22",
      "title": "Bulletin de s\u00e9curit\u00e9 Asterisk GHSA-c7p6-7mvq-8jq2",
      "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-c7p6-7mvq-8jq2"
    },
    {
      "published_at": "2025-05-22",
      "title": "Bulletin de s\u00e9curit\u00e9 Asterisk GHSA-2grh-7mhv-fcfw",
      "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-2grh-7mhv-fcfw"
    }
  ]
}

CERTFR-2025-AVI-0446

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans Asterisk. Elles permettent à un attaquant de provoquer un contournement de la politique de sécurité.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
Asterisk	Asterisk	asterisk versions 18.26.x antérieures à 18.26.2
Asterisk	Asterisk	asterisk versions 21.9.x antérieures à 21.9.1
Asterisk	Asterisk	asterisk versions 20.7-certx antérieures à 20.7-cert5
Asterisk	Asterisk	asterisk versions 20.14.x antérieures à 20.14.1
Asterisk	Asterisk	asterisk versions 22.4.x antérieures à 22.4.1
Asterisk	Asterisk	asterisk versions 18.9-certx antérieures à 18.9-cert14

References

Title

Publication Time

Tags

Bulletin de sécurité Asterisk GHSA-c7p6-7mvq-8jq2	2025-05-22	vendor-advisory
Bulletin de sécurité Asterisk GHSA-2grh-7mhv-fcfw	2025-05-22	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "asterisk versions 18.26.x ant\u00e9rieures \u00e0 18.26.2",
      "product": {
        "name": "Asterisk",
        "vendor": {
          "name": "Asterisk",
          "scada": false
        }
      }
    },
    {
      "description": "asterisk versions 21.9.x ant\u00e9rieures \u00e0 21.9.1",
      "product": {
        "name": "Asterisk",
        "vendor": {
          "name": "Asterisk",
          "scada": false
        }
      }
    },
    {
      "description": "asterisk versions 20.7-certx ant\u00e9rieures \u00e0 20.7-cert5",
      "product": {
        "name": "Asterisk",
        "vendor": {
          "name": "Asterisk",
          "scada": false
        }
      }
    },
    {
      "description": "asterisk versions 20.14.x ant\u00e9rieures \u00e0 20.14.1",
      "product": {
        "name": "Asterisk",
        "vendor": {
          "name": "Asterisk",
          "scada": false
        }
      }
    },
    {
      "description": "asterisk versions 22.4.x ant\u00e9rieures \u00e0 22.4.1",
      "product": {
        "name": "Asterisk",
        "vendor": {
          "name": "Asterisk",
          "scada": false
        }
      }
    },
    {
      "description": "asterisk versions 18.9-certx ant\u00e9rieures \u00e0 18.9-cert14",
      "product": {
        "name": "Asterisk",
        "vendor": {
          "name": "Asterisk",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2025-47780",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-47780"
    },
    {
      "name": "CVE-2025-47779",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-47779"
    }
  ],
  "links": [],
  "reference": "CERTFR-2025-AVI-0446",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2025-05-23T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Asterisk. Elles permettent \u00e0 un attaquant de provoquer un contournement de la politique de s\u00e9curit\u00e9.",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Asterisk",
  "vendor_advisories": [
    {
      "published_at": "2025-05-22",
      "title": "Bulletin de s\u00e9curit\u00e9 Asterisk GHSA-c7p6-7mvq-8jq2",
      "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-c7p6-7mvq-8jq2"
    },
    {
      "published_at": "2025-05-22",
      "title": "Bulletin de s\u00e9curit\u00e9 Asterisk GHSA-2grh-7mhv-fcfw",
      "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-2grh-7mhv-fcfw"
    }
  ]
}

WID-SEC-W-2025-1135

Vulnerability from csaf_certbund - Published: 2025-05-22 22:00 - Updated: 2025-06-02 22:00

Summary

Asterisk: Mehrere Schwachstellen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Asterisk ist eine komplette Open Source Multiprotokoll Telefonanlage (PBX) auf Softwarebasis.

Angriff

Ein Angreifer kann mehrere Schwachstellen in Asterisk ausnutzen, um falsche Informationen darzustellen und um Sicherheitsvorkehrungen zu umgehen.

Betroffene Betriebssysteme

- Linux - Sonstiges - UNIX

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Asterisk ist eine komplette Open Source Multiprotokoll Telefonanlage (PBX) auf Softwarebasis.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein Angreifer kann mehrere Schwachstellen in Asterisk ausnutzen, um falsche Informationen darzustellen und um Sicherheitsvorkehrungen zu umgehen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- Sonstiges\n- UNIX",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2025-1135 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-1135.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2025-1135 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-1135"
      },
      {
        "category": "external",
        "summary": "Asterisk Github vom 2025-05-22",
        "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-2grh-7mhv-fcfw"
      },
      {
        "category": "external",
        "summary": "Asterisk Github vom 2025-05-22",
        "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-c7p6-7mvq-8jq2"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DLA-4206 vom 2025-06-02",
        "url": "https://lists.debian.org/debian-lts-announce/2025/06/msg00003.html"
      }
    ],
    "source_lang": "en-US",
    "title": "Asterisk: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2025-06-02T22:00:00.000+00:00",
      "generator": {
        "date": "2025-06-03T09:29:08.893+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.12"
        }
      },
      "id": "WID-SEC-W-2025-1135",
      "initial_release_date": "2025-05-22T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2025-05-22T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2025-06-02T22:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von Debian aufgenommen"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Debian Linux",
            "product": {
              "name": "Debian Linux",
              "product_id": "2951",
              "product_identification_helper": {
                "cpe": "cpe:/o:debian:debian_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Debian"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c18.26.2",
                "product": {
                  "name": "Open Source Asterisk \u003c18.26.2",
                  "product_id": "T044124"
                }
              },
              {
                "category": "product_version",
                "name": "18.26.2",
                "product": {
                  "name": "Open Source Asterisk 18.26.2",
                  "product_id": "T044124-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:digium:asterisk:18.26.2"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c20.14.1",
                "product": {
                  "name": "Open Source Asterisk \u003c20.14.1",
                  "product_id": "T044125"
                }
              },
              {
                "category": "product_version",
                "name": "20.14.1",
                "product": {
                  "name": "Open Source Asterisk 20.14.1",
                  "product_id": "T044125-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:digium:asterisk:20.14.1"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c21.9.1",
                "product": {
                  "name": "Open Source Asterisk \u003c21.9.1",
                  "product_id": "T044126"
                }
              },
              {
                "category": "product_version",
                "name": "21.9.1",
                "product": {
                  "name": "Open Source Asterisk 21.9.1",
                  "product_id": "T044126-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:digium:asterisk:21.9.1"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c22.4.1",
                "product": {
                  "name": "Open Source Asterisk \u003c22.4.1",
                  "product_id": "T044127"
                }
              },
              {
                "category": "product_version",
                "name": "22.4.1",
                "product": {
                  "name": "Open Source Asterisk 22.4.1",
                  "product_id": "T044127-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:digium:asterisk:22.4.1"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c18.9-cert14",
                "product": {
                  "name": "Open Source Asterisk \u003c18.9-cert14",
                  "product_id": "T044128"
                }
              },
              {
                "category": "product_version",
                "name": "18.9-cert14",
                "product": {
                  "name": "Open Source Asterisk 18.9-cert14",
                  "product_id": "T044128-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:digium:asterisk:18.9-cert14"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c20.7-cert5",
                "product": {
                  "name": "Open Source Asterisk \u003c20.7-cert5",
                  "product_id": "T044129"
                }
              },
              {
                "category": "product_version",
                "name": "20.7-cert5",
                "product": {
                  "name": "Open Source Asterisk 20.7-cert5",
                  "product_id": "T044129-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:digium:asterisk:20.7-cert5"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Asterisk"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-47779",
      "product_status": {
        "known_affected": [
          "T044126",
          "T044125",
          "T044128",
          "T044127",
          "2951",
          "T044129",
          "T044124"
        ]
      },
      "release_date": "2025-05-22T22:00:00.000+00:00",
      "title": "CVE-2025-47779"
    },
    {
      "cve": "CVE-2025-47780",
      "product_status": {
        "known_affected": [
          "T044126",
          "T044125",
          "T044128",
          "T044127",
          "2951",
          "T044129",
          "T044124"
        ]
      },
      "release_date": "2025-05-22T22:00:00.000+00:00",
      "title": "CVE-2025-47780"
    }
  ]
}

FKIE_CVE-2025-47779

Vulnerability from fkie_nvd - Published: 2025-05-22 17:15 - Updated: 2025-11-03 20:19

Severity ?

7.7 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/asterisk/asterisk/blob/master/configs/samples/pjsip.conf.sample	Product
security-advisories@github.com	https://github.com/asterisk/asterisk/security/advisories/GHSA-2grh-7mhv-fcfw	Exploit, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2025/06/msg00003.html

Impacted products

Vendor	Product	Version
sangoma	asterisk	*
sangoma	asterisk	*
sangoma	asterisk	*
sangoma	asterisk	*
sangoma	certified_asterisk	*
sangoma	certified_asterisk	18.9
sangoma	certified_asterisk	18.9
sangoma	certified_asterisk	18.9
sangoma	certified_asterisk	18.9
sangoma	certified_asterisk	18.9
sangoma	certified_asterisk	18.9
sangoma	certified_asterisk	18.9
sangoma	certified_asterisk	18.9
sangoma	certified_asterisk	18.9
sangoma	certified_asterisk	18.9
sangoma	certified_asterisk	18.9
sangoma	certified_asterisk	18.9
sangoma	certified_asterisk	18.9
sangoma	certified_asterisk	18.9
sangoma	certified_asterisk	18.9
sangoma	certified_asterisk	18.9
sangoma	certified_asterisk	18.9
sangoma	certified_asterisk	20.7
sangoma	certified_asterisk	20.7
sangoma	certified_asterisk	20.7
sangoma	certified_asterisk	20.7
sangoma	certified_asterisk	20.7
sangoma	certified_asterisk	20.7

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "9D8ABBB7-3EF6-4F87-B4E5-448B5F41E11D",
              "versionEndExcluding": "18.26.2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "8CB4CCCD-14C6-42B6-954F-D755A4A8E421",
              "versionEndExcluding": "20.14.1",
              "versionStartIncluding": "20.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "07A86DB1-0C3F-4AE6-B185-59430869B3F9",
              "versionEndExcluding": "21.9.1",
              "versionStartIncluding": "21.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "528ED48E-C83F-4076-B672-E8AC54BB5AFC",
              "versionEndExcluding": "22.4.1",
              "versionStartIncluding": "22.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:sangoma:certified_asterisk:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B71A493F-F47B-4F19-AD21-3800DE63DF5A",
              "versionEndExcluding": "18.9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sangoma:certified_asterisk:18.9:-:*:*:*:*:*:*",
              "matchCriteriaId": "2A7FA28D-33B7-4F20-8235-E66C21019875",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sangoma:certified_asterisk:18.9:cert1:*:*:*:*:*:*",
              "matchCriteriaId": "79EEB5E5-B79E-454B-8DCD-3272BA337A9E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sangoma:certified_asterisk:18.9:cert1-rc1:*:*:*:*:*:*",
              "matchCriteriaId": "AD3BBA39-95EC-462F-8F5A-15E8D07CC804",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sangoma:certified_asterisk:18.9:cert10:*:*:*:*:*:*",
              "matchCriteriaId": "D6BF553C-020D-4F99-9995-CA4A4383B2DD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sangoma:certified_asterisk:18.9:cert11:*:*:*:*:*:*",
              "matchCriteriaId": "E3069F1F-DDE8-4E9A-B4FF-64B7B11EEFCB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sangoma:certified_asterisk:18.9:cert12:*:*:*:*:*:*",
              "matchCriteriaId": "890205E3-973D-422E-940A-E9190BA37EFD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sangoma:certified_asterisk:18.9:cert13:*:*:*:*:*:*",
              "matchCriteriaId": "23100176-0528-448D-B2FA-D3B9B31A249D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sangoma:certified_asterisk:18.9:cert2:*:*:*:*:*:*",
              "matchCriteriaId": "892BAE5D-A64E-4FE0-9A99-8C07F342A042",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sangoma:certified_asterisk:18.9:cert3:*:*:*:*:*:*",
              "matchCriteriaId": "1A716A45-7075-4CA6-9EF5-2DD088248A5C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sangoma:certified_asterisk:18.9:cert4:*:*:*:*:*:*",
              "matchCriteriaId": "80EFA05B-E22D-49CE-BDD6-5C7123F1C12B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sangoma:certified_asterisk:18.9:cert5:*:*:*:*:*:*",
              "matchCriteriaId": "20FD475F-2B46-47C9-B535-1561E29CB7A1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sangoma:certified_asterisk:18.9:cert6:*:*:*:*:*:*",
              "matchCriteriaId": "7238FCD9-9F40-44BA-A170-69D4857AA1CE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sangoma:certified_asterisk:18.9:cert7:*:*:*:*:*:*",
              "matchCriteriaId": "F657B046-6C83-48F9-A0B1-C63CDA7FD61D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sangoma:certified_asterisk:18.9:cert8:*:*:*:*:*:*",
              "matchCriteriaId": "6D87C7DE-23EA-4532-A2E4-9BF82ADE12DC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sangoma:certified_asterisk:18.9:cert8-rc1:*:*:*:*:*:*",
              "matchCriteriaId": "B79A5B46-5CA3-445E-BE47-1711DCD038A1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sangoma:certified_asterisk:18.9:cert8-rc2:*:*:*:*:*:*",
              "matchCriteriaId": "D600B37E-94EA-48DE-B48E-871B3A983721",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sangoma:certified_asterisk:18.9:cert9:*:*:*:*:*:*",
              "matchCriteriaId": "2FC3A00E-D1C6-467F-8FE7-E8437A527B3C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sangoma:certified_asterisk:20.7:cert1:*:*:*:*:*:*",
              "matchCriteriaId": "79225576-AF7C-4099-9624-C53578A7417F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sangoma:certified_asterisk:20.7:cert1-rc1:*:*:*:*:*:*",
              "matchCriteriaId": "29323E6E-12C9-46C7-B29C-25E0CD537A8E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sangoma:certified_asterisk:20.7:cert1-rc2:*:*:*:*:*:*",
              "matchCriteriaId": "8E563972-78C0-40A0-83EA-6A3BA3D71946",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sangoma:certified_asterisk:20.7:cert2:*:*:*:*:*:*",
              "matchCriteriaId": "64209621-D458-432A-B0E3-C8D0B6698574",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sangoma:certified_asterisk:20.7:cert3:*:*:*:*:*:*",
              "matchCriteriaId": "B148158A-8354-41C2-A44C-2C0DAABAD217",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sangoma:certified_asterisk:20.7:cert4:*:*:*:*:*:*",
              "matchCriteriaId": "3D4D96E8-1F01-42B8-9181-67DEB12D9DD2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk, SIP requests of the type MESSAGE (RFC 3428) authentication do not get proper alignment. An authenticated attacker can spoof any user identity to send spam messages to the user with their authorization token. Abuse of this security issue allows authenticated attackers to send fake chat messages can be spoofed to appear to come from trusted entities. Even administrators who follow Security best practices and Security Considerations can be impacted. Therefore, abuse can lead to spam and enable social engineering, phishing and similar attacks. Versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk fix the issue."
    },
    {
      "lang": "es",
      "value": "Asterisk es una centralita privada (PBX) de c\u00f3digo abierto. En versiones anteriores a las 18.26.2, 20.14.1, 21.9.1 y 22.4.1 de Asterisk, y a las versiones 18.9-cert14 y 20.7-cert5 de Asterisk certificado, las solicitudes SIP con autenticaci\u00f3n de tipo MESSAGE (RFC 3428) no se alineaban correctamente. Un atacante autenticado puede suplantar la identidad de cualquier usuario para enviarle spam con su token de autorizaci\u00f3n. El abuso de este problema de seguridad permite a los atacantes autenticados enviar mensajes de chat falsos, que pueden falsificarse para que parezcan provenir de entidades de confianza. Incluso los administradores que siguen las mejores pr\u00e1cticas y consideraciones de seguridad pueden verse afectados. Por lo tanto, el abuso puede generar spam y facilitar la ingenier\u00eda social, el phishing y ataques similares. Las versiones 18.26.2, 20.14.1, 21.9.1 y 22.4.1 de Asterisk y las versiones 18.9-cert14 y 20.7-cert5 de certified-asterisk solucionan el problema."
    }
  ],
  "id": "CVE-2025-47779",
  "lastModified": "2025-11-03T20:19:05.613",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.7,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.1,
        "impactScore": 4.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2025-05-22T17:15:24.730",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/asterisk/asterisk/blob/master/configs/samples/pjsip.conf.sample"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-2grh-7mhv-fcfw"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.debian.org/debian-lts-announce/2025/06/msg00003.html"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-140"
        },
        {
          "lang": "en",
          "value": "CWE-792"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-47779 (GCVE-0-2025-47779)

CERTFR-2025-AVI-0446

Solutions

CERTFR-2025-AVI-0446

Solutions

WID-SEC-W-2025-1135

FKIE_CVE-2025-47779

Tags

Sightings

Nomenclature