Vulnerability Details : CVE-2022-42705
A use-after-free in res_pjsip_pubsub.c in Sangoma Asterisk 16.28, 18.14, 19.6, and certified/18.9-cert2 may allow a remote authenticated attacker to crash Asterisk (denial of service) by performing activity on a subscription via a reliable transport at the same time that Asterisk is also performing activity on that subscription.
Vulnerability category: Memory CorruptionDenial of service
Exploit prediction scoring system (EPSS) score for CVE-2022-42705
Probability of exploitation activity in the next 30 days: 0.21%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 59 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2022-42705
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
2.8
|
3.6
|
NIST |
CWE ids for CVE-2022-42705
-
Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-42705
-
https://lists.debian.org/debian-lts-announce/2023/02/msg00029.html
[SECURITY] [DLA 3335-1] asterisk security update
-
https://www.debian.org/security/2023/dsa-5358
Debian -- Security Information -- DSA-5358-1 asterisk
-
https://downloads.asterisk.org/pub/security/AST-2022-008.html
AST-2022-008Patch;Vendor Advisory
Products affected by CVE-2022-42705
- cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*
- cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*
- cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*
- cpe:2.3:a:sangoma:asterisk:20.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:sangoma:certified_asterisk:18.9:cert2:*:*:*:*:*:*