Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.15.2, 21.10.2, and 22.5.2, if a SIP request is received with an Authorization header that contains a realm that wasnt in a previous 401 responses WWW-Authenticate header, or an Authorization header with an incorrect realm was received without a previous 401 response being sent, the get_authorization_header() function in res_pjsip_authenticator_digest will return a NULL. This wasnt being checked before attempting to get the digest algorithm from the header which causes a SEGV. This issue has been patched in versions 20.15.2, 21.10.2, and 22.5.2. There are no workarounds.
The product incorrectly checks a return value from a function, which prevents it from detecting errors or exceptional conditions.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Asterisk | Sangoma | * | 20.15.2 (excluding) |
| Asterisk | Sangoma | 21.0.0 (including) | 21.10.2 (excluding) |
| Asterisk | Sangoma | 22.0.0 (including) | 22.5.2 (excluding) |