Asterisk Open Source 1.2.x before 1.2.35, 1.4.x before 1.4.26.3, 1.6.0.x before 1.6.0.17, and 1.6.1.x before 1.6.1.9; Business Edition A.x.x, B.x.x before B.2.5.12, C.2.x.x before C.2.4.5, and C.3.x.x before C.3.2.2; AsteriskNOW 1.5; and s800i 1.3.x before 1.3.0.5 generate different error messages depending on whether a SIP username is valid, which allows remote attackers to enumerate valid usernames via multiple crafted REGISTER messages with inconsistent usernames in the URI in the To header and the Digest in the Authorization header.
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Asterisk | Digium | 1.2.0 (including) | 1.2.0 (including) |
| Asterisk | Digium | 1.2.0-beta1 (including) | 1.2.0-beta1 (including) |
| Asterisk | Digium | 1.2.0-beta2 (including) | 1.2.0-beta2 (including) |
| Asterisk | Digium | 1.2.0-rc1 (including) | 1.2.0-rc1 (including) |
| Asterisk | Digium | 1.2.0-rc2 (including) | 1.2.0-rc2 (including) |
| Asterisk | Digium | 1.2.1 (including) | 1.2.1 (including) |
| Asterisk | Digium | 1.2.2 (including) | 1.2.2 (including) |
| Asterisk | Digium | 1.2.2-netsec (including) | 1.2.2-netsec (including) |
| Asterisk | Digium | 1.2.3 (including) | 1.2.3 (including) |
| Asterisk | Digium | 1.2.3-netsec (including) | 1.2.3-netsec (including) |
| Asterisk | Digium | 1.2.10 (including) | 1.2.10 (including) |
| Asterisk | Digium | 1.2.10-netsec (including) | 1.2.10-netsec (including) |
| Asterisk | Digium | 1.2.11 (including) | 1.2.11 (including) |
| Asterisk | Digium | 1.2.11-netsec (including) | 1.2.11-netsec (including) |
| Asterisk | Digium | 1.2.12 (including) | 1.2.12 (including) |
| Asterisk | Digium | 1.2.12-netsec (including) | 1.2.12-netsec (including) |
| Asterisk | Digium | 1.2.12.1 (including) | 1.2.12.1 (including) |
| Asterisk | Digium | 1.2.12.1-netsec (including) | 1.2.12.1-netsec (including) |
| Asterisk | Digium | 1.2.13 (including) | 1.2.13 (including) |
| Asterisk | Digium | 1.2.13-netsec (including) | 1.2.13-netsec (including) |
| Asterisk | Digium | 1.2.14 (including) | 1.2.14 (including) |
| Asterisk | Digium | 1.2.15 (including) | 1.2.15 (including) |
| Asterisk | Digium | 1.2.15-netsec (including) | 1.2.15-netsec (including) |
| Asterisk | Digium | 1.2.16 (including) | 1.2.16 (including) |
| Asterisk | Digium | 1.2.16-netsec (including) | 1.2.16-netsec (including) |
| Asterisk | Digium | 1.2.17 (including) | 1.2.17 (including) |
| Asterisk | Digium | 1.2.17-netsec (including) | 1.2.17-netsec (including) |
| Asterisk | Digium | 1.2.18 (including) | 1.2.18 (including) |
| Asterisk | Digium | 1.2.18-netsec (including) | 1.2.18-netsec (including) |
| Asterisk | Digium | 1.2.19 (including) | 1.2.19 (including) |
| Asterisk | Digium | 1.2.19-netsec (including) | 1.2.19-netsec (including) |
| Asterisk | Digium | 1.2.20 (including) | 1.2.20 (including) |
| Asterisk | Digium | 1.2.20-netsec (including) | 1.2.20-netsec (including) |
| Asterisk | Digium | 1.2.21 (including) | 1.2.21 (including) |
| Asterisk | Digium | 1.2.21-netsec (including) | 1.2.21-netsec (including) |
| Asterisk | Digium | 1.2.21.1 (including) | 1.2.21.1 (including) |
| Asterisk | Digium | 1.2.21.1-netsec (including) | 1.2.21.1-netsec (including) |
| Asterisk | Digium | 1.2.22 (including) | 1.2.22 (including) |
| Asterisk | Digium | 1.2.22-netsec (including) | 1.2.22-netsec (including) |
| Asterisk | Digium | 1.2.23 (including) | 1.2.23 (including) |
| Asterisk | Digium | 1.2.23-netsec (including) | 1.2.23-netsec (including) |
| Asterisk | Digium | 1.2.24 (including) | 1.2.24 (including) |
| Asterisk | Digium | 1.2.24-netsec (including) | 1.2.24-netsec (including) |
| Asterisk | Digium | 1.2.25 (including) | 1.2.25 (including) |
| Asterisk | Digium | 1.2.25-netsec (including) | 1.2.25-netsec (including) |
| Asterisk | Digium | 1.2.26 (including) | 1.2.26 (including) |
| Asterisk | Digium | 1.2.26-netsec (including) | 1.2.26-netsec (including) |
| Asterisk | Digium | 1.2.26.1 (including) | 1.2.26.1 (including) |
| Asterisk | Digium | 1.2.26.1-netsec (including) | 1.2.26.1-netsec (including) |
| Asterisk | Digium | 1.2.26.2 (including) | 1.2.26.2 (including) |
| Asterisk | Digium | 1.2.26.2-netsec (including) | 1.2.26.2-netsec (including) |
| Asterisk | Digium | 1.2.27 (including) | 1.2.27 (including) |
| Asterisk | Digium | 1.2.28 (including) | 1.2.28 (including) |
| Asterisk | Digium | 1.2.28.1 (including) | 1.2.28.1 (including) |
| Asterisk | Digium | 1.2.29 (including) | 1.2.29 (including) |
| Asterisk | Digium | 1.2.30 (including) | 1.2.30 (including) |
| Asterisk | Digium | 1.2.30.1 (including) | 1.2.30.1 (including) |
| Asterisk | Digium | 1.2.30.2 (including) | 1.2.30.2 (including) |
| Asterisk | Digium | 1.2.30.3 (including) | 1.2.30.3 (including) |
| Asterisk | Digium | 1.2.30.4 (including) | 1.2.30.4 (including) |
| Asterisk | Digium | 1.2.31 (including) | 1.2.31 (including) |
| Asterisk | Digium | 1.2.31.1 (including) | 1.2.31.1 (including) |
| Asterisk | Digium | 1.2.32 (including) | 1.2.32 (including) |
| Asterisk | Digium | 1.2.33 (including) | 1.2.33 (including) |
| Asterisk | Digium | 1.2.34 (including) | 1.2.34 (including) |
| Asterisk | Digium | 1.4.0 (including) | 1.4.0 (including) |
| Asterisk | Digium | 1.4.0-beta1 (including) | 1.4.0-beta1 (including) |
| Asterisk | Digium | 1.4.0-beta2 (including) | 1.4.0-beta2 (including) |
| Asterisk | Digium | 1.4.0-beta3 (including) | 1.4.0-beta3 (including) |
| Asterisk | Digium | 1.4.0-beta4 (including) | 1.4.0-beta4 (including) |
| Asterisk | Digium | 1.4.1 (including) | 1.4.1 (including) |
| Asterisk | Digium | 1.4.2 (including) | 1.4.2 (including) |
| Asterisk | Digium | 1.4.3 (including) | 1.4.3 (including) |
| Asterisk | Digium | 1.4.4 (including) | 1.4.4 (including) |
| Asterisk | Digium | 1.4.5 (including) | 1.4.5 (including) |
| Asterisk | Digium | 1.4.6 (including) | 1.4.6 (including) |
| Asterisk | Digium | 1.4.7 (including) | 1.4.7 (including) |
| Asterisk | Digium | 1.4.7.1 (including) | 1.4.7.1 (including) |
| Asterisk | Digium | 1.4.8 (including) | 1.4.8 (including) |
| Asterisk | Digium | 1.4.9 (including) | 1.4.9 (including) |
| Asterisk | Digium | 1.4.10 (including) | 1.4.10 (including) |
| Asterisk | Digium | 1.4.10.1 (including) | 1.4.10.1 (including) |
| Asterisk | Digium | 1.4.11 (including) | 1.4.11 (including) |
| Asterisk | Digium | 1.4.12 (including) | 1.4.12 (including) |
| Asterisk | Digium | 1.4.12.1 (including) | 1.4.12.1 (including) |
| Asterisk | Digium | 1.4.13 (including) | 1.4.13 (including) |
| Asterisk | Digium | 1.4.14 (including) | 1.4.14 (including) |
| Asterisk | Digium | 1.4.15 (including) | 1.4.15 (including) |
| Asterisk | Digium | 1.4.16 (including) | 1.4.16 (including) |
| Asterisk | Digium | 1.4.16.1 (including) | 1.4.16.1 (including) |
| Asterisk | Digium | 1.4.16.2 (including) | 1.4.16.2 (including) |
| Asterisk | Digium | 1.4.17 (including) | 1.4.17 (including) |
| Asterisk | Digium | 1.4.18 (including) | 1.4.18 (including) |
| Asterisk | Digium | 1.4.19 (including) | 1.4.19 (including) |
| Asterisk | Digium | 1.4.19-rc1 (including) | 1.4.19-rc1 (including) |
| Asterisk | Digium | 1.4.19-rc2 (including) | 1.4.19-rc2 (including) |
| Asterisk | Digium | 1.4.19-rc3 (including) | 1.4.19-rc3 (including) |
| Asterisk | Digium | 1.4.19-rc4 (including) | 1.4.19-rc4 (including) |
| Asterisk | Digium | 1.4.19.1 (including) | 1.4.19.1 (including) |
| Asterisk | Digium | 1.4.19.2 (including) | 1.4.19.2 (including) |
| Asterisk | Digium | 1.4.20 (including) | 1.4.20 (including) |
| Asterisk | Digium | 1.4.20-rc1 (including) | 1.4.20-rc1 (including) |
| Asterisk | Digium | 1.4.20-rc2 (including) | 1.4.20-rc2 (including) |
| Asterisk | Digium | 1.4.20-rc3 (including) | 1.4.20-rc3 (including) |
| Asterisk | Digium | 1.4.20.1 (including) | 1.4.20.1 (including) |
| Asterisk | Digium | 1.4.21 (including) | 1.4.21 (including) |
| Asterisk | Digium | 1.4.21-rc1 (including) | 1.4.21-rc1 (including) |
| Asterisk | Digium | 1.4.21-rc2 (including) | 1.4.21-rc2 (including) |
| Asterisk | Digium | 1.4.21.1 (including) | 1.4.21.1 (including) |
| Asterisk | Digium | 1.4.21.2 (including) | 1.4.21.2 (including) |
| Asterisk | Digium | 1.4.22 (including) | 1.4.22 (including) |
| Asterisk | Digium | 1.4.22-rc1 (including) | 1.4.22-rc1 (including) |
| Asterisk | Digium | 1.4.22-rc2 (including) | 1.4.22-rc2 (including) |
| Asterisk | Digium | 1.4.22-rc3 (including) | 1.4.22-rc3 (including) |
| Asterisk | Digium | 1.4.22-rc4 (including) | 1.4.22-rc4 (including) |
| Asterisk | Digium | 1.4.22-rc5 (including) | 1.4.22-rc5 (including) |
| Asterisk | Digium | 1.4.22.1 (including) | 1.4.22.1 (including) |
| Asterisk | Digium | 1.4.22.2 (including) | 1.4.22.2 (including) |
| Asterisk | Digium | 1.4.23 (including) | 1.4.23 (including) |
| Asterisk | Digium | 1.4.23-rc1 (including) | 1.4.23-rc1 (including) |
| Asterisk | Digium | 1.4.23-rc2 (including) | 1.4.23-rc2 (including) |
| Asterisk | Digium | 1.4.23-rc3 (including) | 1.4.23-rc3 (including) |
| Asterisk | Digium | 1.4.23-rc4 (including) | 1.4.23-rc4 (including) |
| Asterisk | Digium | 1.4.23.1 (including) | 1.4.23.1 (including) |
| Asterisk | Digium | 1.4.23.2 (including) | 1.4.23.2 (including) |
| Asterisk | Digium | 1.4.24 (including) | 1.4.24 (including) |
| Asterisk | Digium | 1.4.24-rc1 (including) | 1.4.24-rc1 (including) |
| Asterisk | Digium | 1.4.24.1 (including) | 1.4.24.1 (including) |
| Asterisk | Digium | 1.4.25 (including) | 1.4.25 (including) |
| Asterisk | Digium | 1.4.25-rc1 (including) | 1.4.25-rc1 (including) |
| Asterisk | Digium | 1.4.25.1 (including) | 1.4.25.1 (including) |
| Asterisk | Digium | 1.4.26 (including) | 1.4.26 (including) |
| Asterisk | Digium | 1.4.26-rc1 (including) | 1.4.26-rc1 (including) |
| Asterisk | Digium | 1.4.26-rc2 (including) | 1.4.26-rc2 (including) |
| Asterisk | Digium | 1.4.26-rc3 (including) | 1.4.26-rc3 (including) |
| Asterisk | Digium | 1.4.26-rc4 (including) | 1.4.26-rc4 (including) |
| Asterisk | Digium | 1.4.26-rc5 (including) | 1.4.26-rc5 (including) |
| Asterisk | Digium | 1.4.26-rc6 (including) | 1.4.26-rc6 (including) |
| Asterisk | Digium | 1.4.26.1 (including) | 1.4.26.1 (including) |
| Asterisk | Digium | 1.4.26.2 (including) | 1.4.26.2 (including) |
| Asterisk | Digium | 1.6.0 (including) | 1.6.0 (including) |
| Asterisk | Digium | 1.6.0-beta1 (including) | 1.6.0-beta1 (including) |
| Asterisk | Digium | 1.6.0-beta2 (including) | 1.6.0-beta2 (including) |
| Asterisk | Digium | 1.6.0-beta3 (including) | 1.6.0-beta3 (including) |
| Asterisk | Digium | 1.6.0-beta4 (including) | 1.6.0-beta4 (including) |
| Asterisk | Digium | 1.6.0-beta5 (including) | 1.6.0-beta5 (including) |
| Asterisk | Digium | 1.6.0-beta6 (including) | 1.6.0-beta6 (including) |
| Asterisk | Digium | 1.6.0-beta7 (including) | 1.6.0-beta7 (including) |
| Asterisk | Digium | 1.6.0-beta7.1 (including) | 1.6.0-beta7.1 (including) |
| Asterisk | Digium | 1.6.0-beta8 (including) | 1.6.0-beta8 (including) |
| Asterisk | Digium | 1.6.0-beta9 (including) | 1.6.0-beta9 (including) |
| Asterisk | Digium | 1.6.0-rc4 (including) | 1.6.0-rc4 (including) |
| Asterisk | Digium | 1.6.0-rc5 (including) | 1.6.0-rc5 (including) |
| Asterisk | Digium | 1.6.0-rc6 (including) | 1.6.0-rc6 (including) |
| Asterisk | Digium | 1.6.0.1 (including) | 1.6.0.1 (including) |
| Asterisk | Digium | 1.6.0.2 (including) | 1.6.0.2 (including) |
| Asterisk | Digium | 1.6.0.3 (including) | 1.6.0.3 (including) |
| Asterisk | Digium | 1.6.0.3-rc1 (including) | 1.6.0.3-rc1 (including) |
| Asterisk | Digium | 1.6.0.4-rc1 (including) | 1.6.0.4-rc1 (including) |
| Asterisk | Digium | 1.6.0.5 (including) | 1.6.0.5 (including) |
| Asterisk | Digium | 1.6.0.6 (including) | 1.6.0.6 (including) |
| Asterisk | Digium | 1.6.0.7 (including) | 1.6.0.7 (including) |
| Asterisk | Digium | 1.6.0.8 (including) | 1.6.0.8 (including) |
| Asterisk | Digium | 1.6.0.9 (including) | 1.6.0.9 (including) |
| Asterisk | Digium | 1.6.0.10 (including) | 1.6.0.10 (including) |
| Asterisk | Digium | 1.6.0.11 (including) | 1.6.0.11 (including) |
| Asterisk | Digium | 1.6.0.11-rc1 (including) | 1.6.0.11-rc1 (including) |
| Asterisk | Digium | 1.6.0.11-rc2 (including) | 1.6.0.11-rc2 (including) |
| Asterisk | Digium | 1.6.0.14 (including) | 1.6.0.14 (including) |
| Asterisk | Digium | 1.6.0.14-rc1 (including) | 1.6.0.14-rc1 (including) |
| Asterisk | Digium | 1.6.0.15 (including) | 1.6.0.15 (including) |
| Asterisk | Digium | 1.6.0.16 (including) | 1.6.0.16 (including) |
| Asterisk | Digium | 1.6.0.16-rc1 (including) | 1.6.0.16-rc1 (including) |
| Asterisk | Digium | 1.6.0.16-rc2 (including) | 1.6.0.16-rc2 (including) |
| Asterisk | Digium | 1.6.1.0 (including) | 1.6.1.0 (including) |
| Asterisk | Digium | 1.6.1.0-rc2 (including) | 1.6.1.0-rc2 (including) |
| Asterisk | Digium | 1.6.1.0-rc3 (including) | 1.6.1.0-rc3 (including) |
| Asterisk | Digium | 1.6.1.0-rc4 (including) | 1.6.1.0-rc4 (including) |
| Asterisk | Digium | 1.6.1.0-rc5 (including) | 1.6.1.0-rc5 (including) |
| Asterisk | Digium | 1.6.1.1 (including) | 1.6.1.1 (including) |
| Asterisk | Digium | 1.6.1.2 (including) | 1.6.1.2 (including) |
| Asterisk | Digium | 1.6.1.3-rc1 (including) | 1.6.1.3-rc1 (including) |
| Asterisk | Digium | 1.6.1.4 (including) | 1.6.1.4 (including) |
| Asterisk | Digium | 1.6.1.5 (including) | 1.6.1.5 (including) |
| Asterisk | Digium | 1.6.1.5-rc1 (including) | 1.6.1.5-rc1 (including) |
| Asterisk | Digium | 1.6.1.6 (including) | 1.6.1.6 (including) |
| Asterisk | Digium | 1.6.1.7-rc1 (including) | 1.6.1.7-rc1 (including) |
| Asterisk | Digium | 1.6.1.7-rc2 (including) | 1.6.1.7-rc2 (including) |
| Asterisk | Digium | 1.6.1.8 (including) | 1.6.1.8 (including) |
| Asterisk | Digium | 1.6.1.10-rc1 (including) | 1.6.1.10-rc1 (including) |
| Asterisk | Digium | 1.6.1.10-rc2 (including) | 1.6.1.10-rc2 (including) |
| Asterisk | Ubuntu | dapper | * |
| Asterisk | Ubuntu | hardy | * |
| Asterisk | Ubuntu | intrepid | * |
| Asterisk | Ubuntu | jaunty | * |
| Asterisk | Ubuntu | karmic | * |
| Asterisk | Ubuntu | upstream | * |
There are many different kinds of mistakes that introduce information exposures. The severity of the error can range widely, depending on the context in which the product operates, the type of sensitive information that is revealed, and the benefits it may provide to an attacker. Some kinds of sensitive information include:
Information might be sensitive to different parties, each of which may have their own expectations for whether the information should be protected. These parties include:
Information exposures can occur in different ways:
It is common practice to describe any loss of confidentiality as an “information exposure,” but this can lead to overuse of CWE-200 in CWE mapping. From the CWE perspective, loss of confidentiality is a technical impact that can arise from dozens of different weaknesses, such as insecure file permissions or out-of-bounds read. CWE-200 and its lower-level descendants are intended to cover the mistakes that occur in behaviors that explicitly manage, store, transfer, or cleanse sensitive information.