NULL pointer dereference in Asterisk
CVE-2024-42491
Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.24.3, 20.9.3, and 21.4.3 of Asterisk and versions 18.9-cert12 and 20.7-cert2 of certified-asterisk, if Asterisk attempts to send a SIP request to a URI whose ho…
EPSS: 0.006 (42.0th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 5.7 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H.
Affected products
- Asterisk — versions < 18.24.3, >= 19.0.0, < 20.9.3, >= 21.0.0, < 21.4.3
- Sangoma Asterisk
- Sangoma Certified_asterisk — versions 18.9, 20.7
Weakness classification (CWE)
References
- security-advisories@github.com (x_refsource_CONFIRM, Vendor Advisory)
- security-advisories@github.com (Patch, x_refsource_MISC)
- security-advisories@github.com (Patch, x_refsource_MISC)
- security-advisories@github.com (Patch, x_refsource_MISC)
- security-advisories@github.com (Patch, x_refsource_MISC)
- security-advisories@github.com (Patch, x_refsource_MISC)
- af854a3a-2127-422b-91ae-364da2661108
Frequently asked questions
- What is CVE-2024-42491?
- CVE-2024-42491 is a medium-severity vulnerability in Asterisk, classified under CWE-252. CVSS score: 5.7/10. Published 2024-09-05.
- How severe is CVE-2024-42491?
- Medium severity. CVSS v3 base score is 5.7 out of 10.