CVE-2023-37457

Asterisk's PJSIP_HEADER dialplan function can overwrite memory/cause crash when using 'update'

Description

Asterisk is an open source private branch exchange and telephony toolkit. In Asterisk versions 18.20.0 and prior, 20.5.0 and prior, and 21.0.0; as well as ceritifed-asterisk 18.9-cert5 and prior, the 'update' functionality of the PJSIP_HEADER dialplan function can exceed the available buffer space for storing the new value of a header. By doing so this can overwrite memory or cause a crash. This is not externally exploitable, unless dialplan is explicitly written to update a header based on data from an outside source. If the 'update' functionality is not used the vulnerability does not occur. A patch is available at commit a1ca0268254374b515fa5992f01340f7717113fa.

Category

7.5
CVSS
Severity: High
CVSS 3.1 •
EPSS 0.08%
Vendor Advisory github.com
Affected: asterisk asterisk
Published at:
Updated at:

References

Link Tags
https://github.com/asterisk/asterisk/security/advisories/GHSA-98rc-4j27-74hh vendor advisory
https://github.com/asterisk/asterisk/commit/a1ca0268254374b515fa5992f01340f7717113fa patch
https://lists.debian.org/debian-lts-announce/2023/12/msg00019.html

Frequently Asked Questions

What is the severity of CVE-2023-37457?
CVE-2023-37457 has been scored as a high severity vulnerability.
How to fix CVE-2023-37457?
To fix CVE-2023-37457, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2023-37457 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2023-37457 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-37457?
CVE-2023-37457 affects asterisk asterisk.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.