An issue was discovered in Asterisk Open Source 11.x before 11.25.1, 13.x before 13.13.1, and 14.x before 14.2.1 and Certified Asterisk 11.x before 11.6-cert16 and 13.x before 13.8-cert4. The chan_sip channel driver has a liberal definition for whitespace when attempting to strip the content between a SIP header name and a colon character. Rather than following RFC 3261 and stripping only spaces and horizontal tabs, Asterisk treats any non-printable ASCII character as if it were whitespace. This means that headers such as Contactx01: will be seen as a valid Contact header. This mostly does not pose a problem until Asterisk is placed in tandem with an authenticating SIP proxy. In such a case, a crafty combination of valid and invalid To headers can cause a proxy to allow an INVITE request into Asterisk without authentication since it believes the request is an in-dialog request. However, because of the bug described above, the request will look like an out-of-dialog request to Asterisk. Asterisk will then process the request as a new call. The result is that Asterisk can process calls from unvetted sources without any authentication. If you do not use a proxy for authentication, then this issue does not affect you. If your proxy is dialog-aware (meaning that the proxy keeps track of what dialogs are currently valid), then this issue does not affect you. If you use chan_pjsip instead of chan_sip, then this issue does not affect you.
The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Asterisk | Digium | 11.0.0 (including) | 11.0.0 (including) |
| Asterisk | Digium | 11.0.0-beta1 (including) | 11.0.0-beta1 (including) |
| Asterisk | Digium | 11.0.0-beta2 (including) | 11.0.0-beta2 (including) |
| Asterisk | Digium | 11.0.0-rc1 (including) | 11.0.0-rc1 (including) |
| Asterisk | Digium | 11.0.0-rc2 (including) | 11.0.0-rc2 (including) |
| Asterisk | Digium | 11.0.1 (including) | 11.0.1 (including) |
| Asterisk | Digium | 11.0.2 (including) | 11.0.2 (including) |
| Asterisk | Digium | 11.1.0 (including) | 11.1.0 (including) |
| Asterisk | Digium | 11.1.0-rc1 (including) | 11.1.0-rc1 (including) |
| Asterisk | Digium | 11.1.0-rc3 (including) | 11.1.0-rc3 (including) |
| Asterisk | Digium | 11.1.1 (including) | 11.1.1 (including) |
| Asterisk | Digium | 11.1.2 (including) | 11.1.2 (including) |
| Asterisk | Digium | 11.2.0 (including) | 11.2.0 (including) |
| Asterisk | Digium | 11.2.0-rc1 (including) | 11.2.0-rc1 (including) |
| Asterisk | Digium | 11.2.0-rc2 (including) | 11.2.0-rc2 (including) |
| Asterisk | Digium | 11.2.1 (including) | 11.2.1 (including) |
| Asterisk | Digium | 11.2.2 (including) | 11.2.2 (including) |
| Asterisk | Digium | 11.3.0 (including) | 11.3.0 (including) |
| Asterisk | Digium | 11.4.0 (including) | 11.4.0 (including) |
| Asterisk | Digium | 11.5.0 (including) | 11.5.0 (including) |
| Asterisk | Digium | 11.5.1 (including) | 11.5.1 (including) |
| Asterisk | Digium | 11.6.0 (including) | 11.6.0 (including) |
| Asterisk | Digium | 11.6.1 (including) | 11.6.1 (including) |
| Asterisk | Digium | 11.7.0 (including) | 11.7.0 (including) |
| Asterisk | Digium | 11.8.0 (including) | 11.8.0 (including) |
| Asterisk | Digium | 11.8.1 (including) | 11.8.1 (including) |
| Asterisk | Digium | 11.9.0 (including) | 11.9.0 (including) |
| Asterisk | Digium | 11.10.0 (including) | 11.10.0 (including) |
| Asterisk | Digium | 11.10.1 (including) | 11.10.1 (including) |
| Asterisk | Digium | 11.10.2 (including) | 11.10.2 (including) |
| Asterisk | Digium | 11.11.0 (including) | 11.11.0 (including) |
| Asterisk | Digium | 11.12.0 (including) | 11.12.0 (including) |
| Asterisk | Digium | 11.12.1 (including) | 11.12.1 (including) |
| Asterisk | Digium | 11.13.0 (including) | 11.13.0 (including) |
| Asterisk | Digium | 11.13.1 (including) | 11.13.1 (including) |
| Asterisk | Digium | 11.14.0 (including) | 11.14.0 (including) |
| Asterisk | Digium | 11.14.1 (including) | 11.14.1 (including) |
| Asterisk | Digium | 11.14.2 (including) | 11.14.2 (including) |
| Asterisk | Digium | 11.15.0 (including) | 11.15.0 (including) |
| Asterisk | Digium | 11.15.1 (including) | 11.15.1 (including) |
| Asterisk | Digium | 11.16.0 (including) | 11.16.0 (including) |
| Asterisk | Digium | 11.17.0 (including) | 11.17.0 (including) |
| Asterisk | Digium | 11.17.1 (including) | 11.17.1 (including) |
| Asterisk | Digium | 11.18.0 (including) | 11.18.0 (including) |
| Asterisk | Digium | 11.19.0 (including) | 11.19.0 (including) |
| Asterisk | Digium | 11.20.0 (including) | 11.20.0 (including) |
| Asterisk | Digium | 11.21.0 (including) | 11.21.0 (including) |
| Asterisk | Digium | 11.21.1 (including) | 11.21.1 (including) |
| Asterisk | Digium | 11.21.2 (including) | 11.21.2 (including) |
| Asterisk | Digium | 11.22.0 (including) | 11.22.0 (including) |
| Asterisk | Digium | 11.22.0-rc1 (including) | 11.22.0-rc1 (including) |
| Asterisk | Digium | 11.23.0 (including) | 11.23.0 (including) |
| Asterisk | Digium | 11.23.0-rc1 (including) | 11.23.0-rc1 (including) |
| Asterisk | Digium | 11.23.1 (including) | 11.23.1 (including) |
| Asterisk | Digium | 11.24.0 (including) | 11.24.0 (including) |
| Asterisk | Digium | 11.24.1 (including) | 11.24.1 (including) |
| Asterisk | Digium | 11.25.0 (including) | 11.25.0 (including) |
| Asterisk | Digium | 13.0.0 (including) | 13.0.0 (including) |
| Asterisk | Digium | 13.0.0-beta1 (including) | 13.0.0-beta1 (including) |
| Asterisk | Digium | 13.0.0-beta2 (including) | 13.0.0-beta2 (including) |
| Asterisk | Digium | 13.0.0-beta3 (including) | 13.0.0-beta3 (including) |
| Asterisk | Digium | 13.0.1 (including) | 13.0.1 (including) |
| Asterisk | Digium | 13.0.2 (including) | 13.0.2 (including) |
| Asterisk | Digium | 13.1.0 (including) | 13.1.0 (including) |
| Asterisk | Digium | 13.1.1 (including) | 13.1.1 (including) |
| Asterisk | Digium | 13.2.0 (including) | 13.2.0 (including) |
| Asterisk | Digium | 13.2.1 (including) | 13.2.1 (including) |
| Asterisk | Digium | 13.3.0 (including) | 13.3.0 (including) |
| Asterisk | Digium | 13.3.1 (including) | 13.3.1 (including) |
| Asterisk | Digium | 13.3.2 (including) | 13.3.2 (including) |
| Asterisk | Digium | 13.4.0 (including) | 13.4.0 (including) |
| Asterisk | Digium | 13.5.0 (including) | 13.5.0 (including) |
| Asterisk | Digium | 13.6.0 (including) | 13.6.0 (including) |
| Asterisk | Digium | 13.7.0 (including) | 13.7.0 (including) |
| Asterisk | Digium | 13.7.1 (including) | 13.7.1 (including) |
| Asterisk | Digium | 13.7.2 (including) | 13.7.2 (including) |
| Asterisk | Digium | 13.8.0 (including) | 13.8.0 (including) |
| Asterisk | Digium | 13.8.0-rc1 (including) | 13.8.0-rc1 (including) |
| Asterisk | Digium | 13.8.1 (including) | 13.8.1 (including) |
| Asterisk | Digium | 13.8.2 (including) | 13.8.2 (including) |
| Asterisk | Digium | 13.9.0 (including) | 13.9.0 (including) |
| Asterisk | Digium | 13.9.1 (including) | 13.9.1 (including) |
| Asterisk | Digium | 13.10.0 (including) | 13.10.0 (including) |
| Asterisk | Digium | 13.10.0-rc1 (including) | 13.10.0-rc1 (including) |
| Asterisk | Digium | 13.11.0 (including) | 13.11.0 (including) |
| Asterisk | Digium | 13.11.1 (including) | 13.11.1 (including) |
| Asterisk | Digium | 13.11.2 (including) | 13.11.2 (including) |
| Asterisk | Digium | 13.12.0 (including) | 13.12.0 (including) |
| Asterisk | Digium | 13.12.1 (including) | 13.12.1 (including) |
| Asterisk | Digium | 13.12.2 (including) | 13.12.2 (including) |
| Asterisk | Digium | 13.13.0 (including) | 13.13.0 (including) |
| Asterisk | Digium | 14.0.0 (including) | 14.0.0 (including) |
| Asterisk | Digium | 14.0.0-beta1 (including) | 14.0.0-beta1 (including) |
| Asterisk | Digium | 14.0.0-beta2 (including) | 14.0.0-beta2 (including) |
| Asterisk | Digium | 14.0.0-rc1 (including) | 14.0.0-rc1 (including) |
| Asterisk | Digium | 14.0.0-rc2 (including) | 14.0.0-rc2 (including) |
| Asterisk | Digium | 14.0.1 (including) | 14.0.1 (including) |
| Asterisk | Digium | 14.0.2 (including) | 14.0.2 (including) |
| Asterisk | Digium | 14.1.0 (including) | 14.1.0 (including) |
| Asterisk | Digium | 14.1.1 (including) | 14.1.1 (including) |
| Asterisk | Digium | 14.1.2 (including) | 14.1.2 (including) |
| Asterisk | Digium | 14.2.0 (including) | 14.2.0 (including) |
Assuming a user with a given identity, authorization is the process of determining whether that user can access a given resource, based on the user’s privileges and any permissions or other access-control specifications that apply to the resource. When access control checks are not applied consistently - or not at all - users are able to access data or perform actions that they should not be allowed to perform. This can lead to a wide range of problems, including information exposures, denial of service, and arbitrary code execution.