| Vulnerability Name: | CVE-2008-3903 (CCN-45059) | ||||||||||||||||
| Assigned: | 2008-09-02 | ||||||||||||||||
| Published: | 2008-09-02 | ||||||||||||||||
| Updated: | 2017-08-08 | ||||||||||||||||
| Summary: | Asterisk Open Source 1.2.x before 1.2.32, 1.4.x before 1.4.24.1, and 1.6.0.x before 1.6.0.8; Asterisk Business Edition A.x.x, B.x.x before B.2.5.8, C.1.x.x before C.1.10.5, and C.2.x.x before C.2.3.3; s800i 1.3.x before 1.3.0.2; and Trixbox PBX 2.6.1, when Digest authentication and authalwaysreject are enabled, generates different responses depending on whether a SIP username is valid, which allows remote attackers to enumerate valid usernames. Additional details can be found here: http://www.voipsa.org/pipermail/voipsec_voipsa.org/2006-May/001628.html | ||||||||||||||||
| CVSS v3 Severity: | 5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
| ||||||||||||||||
| CVSS v2 Severity: | 3.5 Low (CVSS v2 Vector: AV:N/AC:M/Au:S/C:P/I:N/A:N) 2.6 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:S/C:P/I:N/A:N/E:U/RL:OF/RC:C)
3.2 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
| ||||||||||||||||
| Vulnerability Type: | CWE-200 | ||||||||||||||||
| Vulnerability Consequences: | Obtain Information | ||||||||||||||||
| References: | Source: MITRE Type: CNA CVE-2008-3903 Source: CONFIRM Type: UNKNOWN http://downloads.asterisk.org/pub/security/AST-2009-003.html Source: CCN Type: AST-2009-003 SIP responses expose valid usernames Source: CCN Type: Misel Consulting Advisory, September 2, 2008 CVE-2008-3903: Disclosure of SIP username in Asterisk PBX. Source: MISC Type: UNKNOWN http://misel.com/?p=52 Source: CCN Type: SA34564 Asterisk SIP Response User Enumeration Weakness Source: SECUNIA Type: UNKNOWN 34982 Source: SECUNIA Type: UNKNOWN 37677 Source: GENTOO Type: UNKNOWN GLSA-200905-01 Source: CCN Type: Asterisk Web site Asterisk :: The Open Source PBX & Telephony Platform Source: DEBIAN Type: UNKNOWN DSA-1952 Source: DEBIAN Type: DSA-1952 asterisk -- several vulnerabilities Source: CCN Type: GLSA-200905-01 Asterisk: Multiple vulnerabilities Source: CCN Type: OSVDB ID: 48473 Asterisk PBX Digest Authentication Remote Username Enumeration Source: BID Type: UNKNOWN 34353 Source: CCN Type: BID-34353 Asterisk Authentication SIP Response Remote Information Disclosure Vulnerability Source: VUPEN Type: UNKNOWN ADV-2009-0933 Source: XF Type: UNKNOWN asterisk-username-info-disclosure(45059) Source: XF Type: UNKNOWN asterisk-username-info-disclosure(45059) | ||||||||||||||||
| Vulnerable Configuration: | Configuration 1: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||||||||||
| Oval Definitions | |||||||||||||||||
| |||||||||||||||||
| BACK | |||||||||||||||||