← Back

CVE-2024-42491

nvd nist
Published: Sep 5, 2024Modified: Nov 3, 2025

JSON object

Loading...
5.7
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
Exploitability: 2.1 / Impact: 3.6
Source: security-advisories@github.com (Secondary)

Description

Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.24.3, 20.9.3, and 21.4.3 of Asterisk and versions 18.9-cert12 and 20.7-cert2 of certified-asterisk, if Asterisk attempts to send a SIP request to a URI whose host portion starts with `.1` or `[.1]`, and res_resolver_unbound is loaded, Asterisk will crash with a SEGV. To receive a patch, users should upgrade to one of the following versions: 18.24.3, 20.9.3, 21.4.3, certified-18.9-cert12, certified-20.7-cert2. Two workarounds are available. Disable res_resolver_unbound by setting `noload = res_resolver_unbound.so` in modules.conf, or set `rewrite_contact = yes` on all PJSIP endpoints. NOTE: This may not be appropriate for all Asterisk configurations.

Affected (23)

Sangoma
2 products
Asterisk
Certified Asterisk
Configuration A
3 vulnerable
Vulnerable SoftwareAffected Versions
Sangoma
Asterisk
Before 18.24.3
Asterisk
From 20.0.0 to 20.9.3
Asterisk
From 21.0.0 to 21.4.3
Configuration B
20 vulnerable
Vulnerable SoftwareAffected Versions
Sangoma
Certified Asterisk
Before 18.9
Certified Asterisk
Version 18.9
Certified Asterisk
Version 18.9 cert1-rc1
Certified Asterisk
Version 18.9 cert10
Certified Asterisk
Version 18.9 cert11
Certified Asterisk
Version 18.9 cert1
Certified Asterisk
Version 18.9 cert2
Certified Asterisk
Version 18.9 cert3
Certified Asterisk
Version 18.9 cert4
Certified Asterisk
Version 18.9 cert5
Certified Asterisk
Version 18.9 cert6
Certified Asterisk
Version 18.9 cert7
Certified Asterisk
Version 18.9 cert8-rc1
Certified Asterisk
Version 18.9 cert8-rc2
Certified Asterisk
Version 18.9 cert8
Certified Asterisk
Version 18.9 cert9
Certified Asterisk
Version 20.7 cert1-rc1
Certified Asterisk
Version 20.7 cert1-rc2
Certified Asterisk
Version 20.7 cert1
Certified Asterisk
Version 20.7 cert2

Related CWEs

CWE-252
Unchecked Return Value
The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.
CWE-476
NULL Pointer Dereference
The product dereferences a pointer that it expects to be valid but is NULL.

References (7)

Source: security-advisories@github.com
Patch
Source: security-advisories@github.com
Patch
Source: security-advisories@github.com
Patch
Source: security-advisories@github.com
Patch
Source: security-advisories@github.com
Patch
Source: security-advisories@github.com
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.