Headline
CVE-2022-42705: AST-2022-008
A use-after-free in res_pjsip_pubsub.c in Sangoma Asterisk 16.28, 18.14, 19.6, and certified/18.9-cert2 may allow a remote authenticated attacker to crash Asterisk (denial of service) by performing activity on a subscription via a reliable transport at the same time that Asterisk is also performing activity on that subscription.
Description
Use after free in res_pjsip_pubsub.c may allow a remote authenticated attacker to crash Asterisk (denial of service) by performing activity on a subscription via a reliable transport at the same time Asterisk is also performing activty on that subscription.
Modules Affected
res_pjsip_pubsub.c, res_pjsip_outbound_registration.c, pjsip_transport_events.c
Related news
Debian Linux Security Advisory 5358-1 - Multiple security vulnerabilities have been discovered in Asterisk, an Open Source Private Branch Exchange. Buffer overflows and other programming errors could be exploited for launching a denial of service attack or the execution of arbitrary code.