CVE-2007-6430

Asterisk Open Source 1.2.x before 1.2.26 and 1.4.x before 1.4.16, and Business Edition B.x.x before B.2.3.6 and C.x.x before C.1.0-beta8, when using database-based registrations (realtime) and host-based authentication, does not check the IP address when the username is correct and there is no password, which allows remote attackers to bypass authentication using a valid username.

Weakness

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Affected Software

Name	Vendor	Start Version	End Version
Asterisk_business_edition	Asterisk	b.1.3.2 (including)	b.1.3.2 (including)
Asterisk_business_edition	Asterisk	b.1.3.3 (including)	b.1.3.3 (including)
Asterisk_business_edition	Asterisk	b.2.2.0 (including)	b.2.2.0 (including)
Asterisk_business_edition	Asterisk	b.2.2.1 (including)	b.2.2.1 (including)
Asterisk_business_edition	Asterisk	b.2.3.1 (including)	b.2.3.1 (including)
Asterisk_business_edition	Asterisk	b.2.3.2 (including)	b.2.3.2 (including)
Asterisk_business_edition	Asterisk	b.2.3.3 (including)	b.2.3.3 (including)
Asterisk_business_edition	Asterisk	b.2.3.4 (including)	b.2.3.4 (including)
Asterisk_business_edition	Asterisk	c.1.0beta7 (including)	c.1.0beta7 (including)
Open_source	Asterisk	1.2.0beta1 (including)	1.2.0beta1 (including)
Open_source	Asterisk	1.2.0beta2 (including)	1.2.0beta2 (including)
Open_source	Asterisk	1.2.5 (including)	1.2.5 (including)
Open_source	Asterisk	1.2.6 (including)	1.2.6 (including)
Open_source	Asterisk	1.2.7 (including)	1.2.7 (including)
Open_source	Asterisk	1.2.8 (including)	1.2.8 (including)
Open_source	Asterisk	1.2.9 (including)	1.2.9 (including)
Open_source	Asterisk	1.2.10 (including)	1.2.10 (including)
Open_source	Asterisk	1.2.11 (including)	1.2.11 (including)
Open_source	Asterisk	1.2.13 (including)	1.2.13 (including)
Open_source	Asterisk	1.2.14 (including)	1.2.14 (including)
Open_source	Asterisk	1.2.15 (including)	1.2.15 (including)
Open_source	Asterisk	1.2.16 (including)	1.2.16 (including)
Open_source	Asterisk	1.2.17 (including)	1.2.17 (including)
Open_source	Asterisk	1.2.18 (including)	1.2.18 (including)
Open_source	Asterisk	1.2.19 (including)	1.2.19 (including)
Open_source	Asterisk	1.2.21 (including)	1.2.21 (including)
Open_source	Asterisk	1.2.22 (including)	1.2.22 (including)
Open_source	Asterisk	1.2.23 (including)	1.2.23 (including)
Open_source	Asterisk	1.2.24 (including)	1.2.24 (including)
Open_source	Asterisk	1.2.25 (including)	1.2.25 (including)
Open_source	Asterisk	1.4.1 (including)	1.4.1 (including)
Open_source	Asterisk	1.4.2 (including)	1.4.2 (including)
Open_source	Asterisk	1.4.3 (including)	1.4.3 (including)
Open_source	Asterisk	1.4.4 (including)	1.4.4 (including)
Open_source	Asterisk	1.4.5 (including)	1.4.5 (including)
Open_source	Asterisk	1.4.6 (including)	1.4.6 (including)
Open_source	Asterisk	1.4.7 (including)	1.4.7 (including)
Open_source	Asterisk	1.4.8 (including)	1.4.8 (including)
Open_source	Asterisk	1.4.9 (including)	1.4.9 (including)
Open_source	Asterisk	1.4.10 (including)	1.4.10 (including)
Open_source	Asterisk	1.4.11 (including)	1.4.11 (including)
Open_source	Asterisk	1.4.12 (including)	1.4.12 (including)
Open_source	Asterisk	1.4.13 (including)	1.4.13 (including)
Open_source	Asterisk	1.4.14 (including)	1.4.14 (including)
Open_source	Asterisk	1.4.15 (including)	1.4.15 (including)
Open_source	Asterisk	1.4beta (including)	1.4beta (including)
Asterisk	Ubuntu	dapper	*
Asterisk	Ubuntu	devel	*
Asterisk	Ubuntu	edgy	*
Asterisk	Ubuntu	feisty	*
Asterisk	Ubuntu	gutsy	*
Asterisk	Ubuntu	hardy	*
Asterisk	Ubuntu	intrepid	*
Asterisk	Ubuntu	jaunty	*
Asterisk	Ubuntu	karmic	*
Asterisk	Ubuntu	upstream	*

NVD	https://nvd.nist.gov/vuln/detail/CVE-2007-6430
CWE	https://cwe.mitre.org/data/definitions/287.html

Improper Authentication

Weakness

Affected Software

Potential Mitigations

References

CVE-2007-6430

Improper Authentication

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References