CVE-2018-7284
7.5
HIGH
CVSS 3.1
EPSS 65.2%
Description
A Buffer Overflow issue was discovered in Asterisk through 13.19.1, 14.x through 14.7.5, and 15.x through 15.2.1, and Certified Asterisk through 13.18-cert2. When processing a SUBSCRIBE request, the res_pjsip_pubsub module stores the accepted formats present in the Accept headers of the request. This code did not limit the number of headers it processed, despite having a fixed limit of 32. If more than 32 Accept headers were present, the code would write outside of its memory and cause a crash.
How to fix CVE-2018-7284
To remediate CVE-2018-7284, upgrade the affected package to a fixed version below.
- —upgrade to 1:13.20.0~dfsg-1 or later
Is CVE-2018-7284 being exploited?
Likely — EPSS is 65.2%, placing CVE-2018-7284 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.
Affected packages (1)
- from 0, < 1:13.20.0~dfsg-1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |