CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Kamailio : Security Vulnerabilities

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2018-16657 20 DoS Exec Code 2018-09-07 2018-11-15
7.5
None Remote Low Not required Partial Partial Partial
In Kamailio before 5.0.7 and 5.1.x before 5.1.4, a crafted SIP message with an invalid Via header causes a segmentation fault and crashes Kamailio. The reason is missing input validation in the crcitt_string_array core function for calculating a CRC hash for To tags. (An additional error is present in the check_via_address core function: this function also misses input validation.) This could result in denial of service and potentially the execution of arbitrary code.
2 CVE-2018-14767 20 DoS Exec Code 2018-07-31 2018-10-04
7.5
None Remote Low Not required Partial Partial Partial
In Kamailio before 5.0.7 and 5.1.x before 5.1.4, a crafted SIP message with a double "To" header and an empty "To" tag causes a segmentation fault and crash. The reason is missing input validation in the "build_res_buf_from_sip_req" core function. This could result in denial of service and potentially the execution of arbitrary code.
3 CVE-2018-8828 119 Overflow 2018-03-20 2018-04-20
7.5
None Remote Low Not required Partial Partial Partial
A Buffer Overflow issue was discovered in Kamailio before 4.4.7, 5.0.x before 5.0.6, and 5.1.x before 5.1.2. A specially crafted REGISTER message with a malformed branch or From tag triggers an off-by-one heap-based buffer overflow in the tmx_check_pretran function in modules/tmx/tmx_pretran.c.
4 CVE-2016-2385 119 DoS Exec Code Overflow Mem. Corr. 2016-04-11 2018-10-09
10.0
None Remote Low Not required Complete Complete Complete
Heap-based buffer overflow in the encode_msg function in encode_msg.c in the SEAS module in Kamailio (formerly OpenSER and SER) before 4.3.5 allows remote attackers to cause a denial of service (memory corruption and process crash) or possibly execute arbitrary code via a large SIP packet.
5 CVE-2015-1591 264 +Priv 2017-06-27 2017-07-05
4.6
None Local Low Not required Partial Partial Partial
The kamailio build in kamailio before 4.2.0-2 process allows local users to gain privileges.
6 CVE-2015-1590 264 2017-09-07 2017-09-13
4.6
None Local Low Not required Partial Partial Partial
The kamcmd administrative utility and default configuration in kamailio before 4.3.0 use /tmp/kamailio_ctl.
7 CVE-2013-7426 434 2017-08-29 2017-09-02
7.5
None Remote Low Not required Partial Partial Partial
Insecure Temporary file vulnerability in /tmp/kamailio_fifo in kamailio 4.0.1.
Total number of vulnerabilities : 7   Page : 1 (This Page)
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.