CVE-2023-37457

Name of the Vulnerable Software and Affected Versions Asterisk versions 18.20.0 and prior Asterisk versions 20.5.0 and prior Asterisk version 21.0.0 certified-asterisk versions 18.9-cert5 and prior

Description The issue is related to the PJSIP HEADER dialplan function in Asterisk, where the 'update' functionality can exceed the available buffer space for storing the new value of a header, potentially overwriting memory or causing a crash. This is not externally exploitable unless the dialplan is explicitly written to update a header based on data from an outside source. If the 'update' functionality is not used, the issue does not occur.

Recommendations For Asterisk versions 18.20.0 and prior, update to a version that includes the patch available at commit a1ca0268254374b515fa5992f01340f7717113fa. For Asterisk versions 20.5.0 and prior, update to a version that includes the patch available at commit a1ca0268254374b515fa5992f01340f7717113fa. For Asterisk version 21.0.0, update to a version that includes the patch available at commit a1ca0268254374b515fa5992f01340f7717113fa. For certified-asterisk versions 18.9-cert5 and prior, update to a version that includes the patch available at commit a1ca0268254374b515fa5992f01340f7717113fa. As a temporary workaround, consider disabling the PJSIP HEADER function's 'update' functionality until a patch is available.