Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
47 vulnerabilities by signalwire
CVE-2026-49848 (GCVE-0-2026-49848)
Vulnerability from nvd – Published: 2026-06-09 16:05 – Updated: 2026-06-09 16:53
VLAI
Title
FreeSWITCH: Pre-authentication `userVariables` injection in `mod_verto`
Summary
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, mod_verto's check_auth userauth branch wrote request-supplied userVariables into the connection state before comparing the supplied password. The writes are append-only and the connection is not closed on a failed compare, so values declared on bad-password attempts persisted on the same WebSocket and carried into a subsequent successful login on that connection. This issue has been patched in version 1.11.1.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-287 - Improper Authentication
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/signalwire/freeswitch/security… | x_refsource_CONFIRM |
| https://github.com/signalwire/freeswitch/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| signalwire | freeswitch |
Affected:
< 1.11.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-49848",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T16:50:30.238651Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T16:53:15.989Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "freeswitch",
"vendor": "signalwire",
"versions": [
{
"status": "affected",
"version": "\u003c 1.11.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, mod_verto\u0027s check_auth userauth branch wrote request-supplied userVariables into the connection state before comparing the supplied password. The writes are append-only and the connection is not closed on a failed compare, so values declared on bad-password attempts persisted on the same WebSocket and carried into a subsequent successful login on that connection. This issue has been patched in version 1.11.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T16:05:42.064Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-j38x-xm7f-9p2f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-j38x-xm7f-9p2f"
},
{
"name": "https://github.com/signalwire/freeswitch/releases/tag/v1.11.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.11.1"
}
],
"source": {
"advisory": "GHSA-j38x-xm7f-9p2f",
"discovery": "UNKNOWN"
},
"title": "FreeSWITCH: Pre-authentication `userVariables` injection in `mod_verto`"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-49848",
"datePublished": "2026-06-09T16:05:42.064Z",
"dateReserved": "2026-06-01T22:03:19.640Z",
"dateUpdated": "2026-06-09T16:53:15.989Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-49847 (GCVE-0-2026-49847)
Vulnerability from nvd – Published: 2026-06-09 16:05 – Updated: 2026-06-09 20:20
VLAI
Title
FreeSWITCH: Stack overflow in bundled cJSON parser via deeply nested JSON
Summary
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, a single unauthenticated WebSocket frame containing a deeply nested JSON document crashes the FreeSWITCH process via stack overflow, terminating all calls and sessions on the host. The recursion drives the worker thread's stack pointer into the stack guard page, raising SIGSEGV from the kernel before any usable write primitive develops. This issue has been patched in version 1.11.1.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-674 - Uncontrolled Recursion
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/signalwire/freeswitch/security… | x_refsource_CONFIRM |
| https://github.com/signalwire/freeswitch/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| signalwire | freeswitch |
Affected:
< 1.11.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-49847",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T20:20:23.647601Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T20:20:37.647Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "freeswitch",
"vendor": "signalwire",
"versions": [
{
"status": "affected",
"version": "\u003c 1.11.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, a single unauthenticated WebSocket frame containing a deeply nested JSON document crashes the FreeSWITCH process via stack overflow, terminating all calls and sessions on the host. The recursion drives the worker thread\u0027s stack pointer into the stack guard page, raising SIGSEGV from the kernel before any usable write primitive develops. This issue has been patched in version 1.11.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-674",
"description": "CWE-674: Uncontrolled Recursion",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T16:05:08.869Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-2v74-pcgh-75wg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-2v74-pcgh-75wg"
},
{
"name": "https://github.com/signalwire/freeswitch/releases/tag/v1.11.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.11.1"
}
],
"source": {
"advisory": "GHSA-2v74-pcgh-75wg",
"discovery": "UNKNOWN"
},
"title": "FreeSWITCH: Stack overflow in bundled cJSON parser via deeply nested JSON"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-49847",
"datePublished": "2026-06-09T16:05:08.869Z",
"dateReserved": "2026-06-01T22:03:19.640Z",
"dateUpdated": "2026-06-09T20:20:37.647Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-49843 (GCVE-0-2026-49843)
Vulnerability from nvd – Published: 2026-06-09 16:04 – Updated: 2026-06-10 13:47
VLAI
Title
FreeSWITCH: Pre-authentication session eviction via attacker-chosen `sessid` in `mod_verto`
Summary
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, mod_verto's JSON-RPC handler bound the connection to the client-supplied sessid on the first frame, before the authentication gate. Binding inserts the connection into the global session hash and, on a key collision, drops the prior occupant of that slot — sending it a verto.punt, detaching its calls, and closing its socket. An unauthenticated network attacker who knows a target session UUID could therefore evict the legitimate client. This issue has been patched in version 1.11.1.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-287 - Improper Authentication
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/signalwire/freeswitch/security… | x_refsource_CONFIRM |
| https://github.com/signalwire/freeswitch/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| signalwire | freeswitch |
Affected:
< 1.11.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-49843",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T13:46:43.345537Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T13:47:02.332Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "freeswitch",
"vendor": "signalwire",
"versions": [
{
"status": "affected",
"version": "\u003c 1.11.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, mod_verto\u0027s JSON-RPC handler bound the connection to the client-supplied sessid on the first frame, before the authentication gate. Binding inserts the connection into the global session hash and, on a key collision, drops the prior occupant of that slot \u2014 sending it a verto.punt, detaching its calls, and closing its socket. An unauthenticated network attacker who knows a target session UUID could therefore evict the legitimate client. This issue has been patched in version 1.11.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T16:04:55.308Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-9457-fxr9-x78m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-9457-fxr9-x78m"
},
{
"name": "https://github.com/signalwire/freeswitch/releases/tag/v1.11.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.11.1"
}
],
"source": {
"advisory": "GHSA-9457-fxr9-x78m",
"discovery": "UNKNOWN"
},
"title": "FreeSWITCH: Pre-authentication session eviction via attacker-chosen `sessid` in `mod_verto`"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-49843",
"datePublished": "2026-06-09T16:04:55.308Z",
"dateReserved": "2026-06-01T18:50:36.057Z",
"dateUpdated": "2026-06-10T13:47:02.332Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-49842 (GCVE-0-2026-49842)
Vulnerability from nvd – Published: 2026-06-09 16:02 – Updated: 2026-06-09 18:39
VLAI
Title
FreeSWITCH: Pre-authentication bandwidth amplification via `mod_verto` speed-test frames
Summary
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, mod_verto's WebSocket frame loop intercepts a #-prefixed speed-test protocol (#SPU / #SPB / #SPE) before any authentication check. The declared payload size in #SPU was parsed with atoi() and only rejected non-positive values, so an unauthenticated peer could request up to INT_MAX bytes. The server then wrote roughly size * 10 bytes back during the download phase, on the order of 20 GB per request, yielding strong outbound bandwidth amplification from a short request. This issue has been patched in version 1.11.1.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/signalwire/freeswitch/security… | x_refsource_CONFIRM |
| https://github.com/signalwire/freeswitch/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| signalwire | freeswitch |
Affected:
< 1.11.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-49842",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T18:05:28.761050Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T18:39:33.710Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "freeswitch",
"vendor": "signalwire",
"versions": [
{
"status": "affected",
"version": "\u003c 1.11.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, mod_verto\u0027s WebSocket frame loop intercepts a #-prefixed speed-test protocol (#SPU / #SPB / #SPE) before any authentication check. The declared payload size in #SPU was parsed with atoi() and only rejected non-positive values, so an unauthenticated peer could request up to INT_MAX bytes. The server then wrote roughly size * 10 bytes back during the download phase, on the order of 20 GB per request, yielding strong outbound bandwidth amplification from a short request. This issue has been patched in version 1.11.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T16:02:58.096Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-p3gx-p2w7-wp35",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-p3gx-p2w7-wp35"
},
{
"name": "https://github.com/signalwire/freeswitch/releases/tag/v1.11.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.11.1"
}
],
"source": {
"advisory": "GHSA-p3gx-p2w7-wp35",
"discovery": "UNKNOWN"
},
"title": "FreeSWITCH: Pre-authentication bandwidth amplification via `mod_verto` speed-test frames"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-49842",
"datePublished": "2026-06-09T16:02:58.096Z",
"dateReserved": "2026-06-01T18:50:36.057Z",
"dateUpdated": "2026-06-09T18:39:33.710Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-49841 (GCVE-0-2026-49841)
Vulnerability from nvd – Published: 2026-06-09 16:02 – Updated: 2026-06-11 03:55
VLAI
Title
FreeSWITCH: Pre-authentication heap buffer overflow in `mod_verto` HTTP POST body read
Summary
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, the mod_verto HTTP request handler allocates a fixed 2 MiB buffer for a POST application/x-www-form-urlencoded body but accepts Content-Length up to just under 10 MiB. The body-read loop is bounded by Content-Length rather than the buffer size, producing an attacker-controlled heap overflow of up to ~8 MiB -- before the HTTP basic-auth check runs. This issue has been patched in version 1.11.1.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/signalwire/freeswitch/security… | x_refsource_CONFIRM |
| https://github.com/signalwire/freeswitch/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| signalwire | freeswitch |
Affected:
< 1.11.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-49841",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T03:55:21.275Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "freeswitch",
"vendor": "signalwire",
"versions": [
{
"status": "affected",
"version": "\u003c 1.11.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, the mod_verto HTTP request handler allocates a fixed 2 MiB buffer for a POST application/x-www-form-urlencoded body but accepts Content-Length up to just under 10 MiB. The body-read loop is bounded by Content-Length rather than the buffer size, producing an attacker-controlled heap overflow of up to ~8 MiB -- before the HTTP basic-auth check runs. This issue has been patched in version 1.11.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122: Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-131",
"description": "CWE-131: Incorrect Calculation of Buffer Size",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T16:02:24.116Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-wfrq-qvg2-f88f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-wfrq-qvg2-f88f"
},
{
"name": "https://github.com/signalwire/freeswitch/releases/tag/v1.11.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.11.1"
}
],
"source": {
"advisory": "GHSA-wfrq-qvg2-f88f",
"discovery": "UNKNOWN"
},
"title": "FreeSWITCH: Pre-authentication heap buffer overflow in `mod_verto` HTTP POST body read"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-49841",
"datePublished": "2026-06-09T16:02:24.116Z",
"dateReserved": "2026-06-01T18:50:36.057Z",
"dateUpdated": "2026-06-11T03:55:21.275Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-49840 (GCVE-0-2026-49840)
Vulnerability from nvd – Published: 2026-06-09 16:00 – Updated: 2026-06-09 17:00
VLAI
Title
FreeSWITCH: Pre-authentication heap buffer overflow in libesl `Content-Length` parsing
Summary
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, esl_recv_event() parses Content-Length with atol() and passes the result straight to malloc(len + 1) with no sign or magnitude check. A malicious or man-in-the-middle ESL peer can send a frame with a negative Content-Length to corrupt the heap of, or crash, any process linked against libesl, before the client has authenticated to that peer. This issue has been patched in version 1.11.1.
Severity
9.1 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/signalwire/freeswitch/security… | x_refsource_CONFIRM |
| https://github.com/signalwire/freeswitch/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| signalwire | freeswitch |
Affected:
< 1.11.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-49840",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T16:59:32.826404Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T17:00:21.313Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "freeswitch",
"vendor": "signalwire",
"versions": [
{
"status": "affected",
"version": "\u003c 1.11.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, esl_recv_event() parses Content-Length with atol() and passes the result straight to malloc(len + 1) with no sign or magnitude check. A malicious or man-in-the-middle ESL peer can send a frame with a negative Content-Length to corrupt the heap of, or crash, any process linked against libesl, before the client has authenticated to that peer. This issue has been patched in version 1.11.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122: Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-195",
"description": "CWE-195: Signed to Unsigned Conversion Error",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787: Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T16:00:56.687Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-g597-9fgg-ghg9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-g597-9fgg-ghg9"
},
{
"name": "https://github.com/signalwire/freeswitch/releases/tag/v1.11.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.11.1"
}
],
"source": {
"advisory": "GHSA-g597-9fgg-ghg9",
"discovery": "UNKNOWN"
},
"title": "FreeSWITCH: Pre-authentication heap buffer overflow in libesl `Content-Length` parsing"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-49840",
"datePublished": "2026-06-09T16:00:56.687Z",
"dateReserved": "2026-06-01T18:50:36.056Z",
"dateUpdated": "2026-06-09T17:00:21.313Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-49475 (GCVE-0-2026-49475)
Vulnerability from nvd – Published: 2026-06-09 16:00 – Updated: 2026-06-09 20:19
VLAI
Title
FreeSWITCH: Out-of-bounds memory access in core STUN attribute parsing
Summary
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.0, a STUN packet whose declared attribute length is shorter than the structure the parser casts to causes the parser to read and write past the end of the attribute, producing an out-of-bounds memory access on the per-leg media buffer. This issue has been patched in version 1.11.0.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/signalwire/freeswitch/security… | x_refsource_CONFIRM |
| https://github.com/signalwire/freeswitch/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| signalwire | freeswitch |
Affected:
< 1.11.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-49475",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T20:19:46.049879Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T20:19:56.191Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "freeswitch",
"vendor": "signalwire",
"versions": [
{
"status": "affected",
"version": "\u003c 1.11.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.0, a STUN packet whose declared attribute length is shorter than the structure the parser casts to causes the parser to read and write past the end of the attribute, producing an out-of-bounds memory access on the per-leg media buffer. This issue has been patched in version 1.11.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125: Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787: Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T16:00:32.931Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-9j6h-hc95-q926",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-9j6h-hc95-q926"
},
{
"name": "https://github.com/signalwire/freeswitch/releases/tag/v1.11.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.11.0"
}
],
"source": {
"advisory": "GHSA-9j6h-hc95-q926",
"discovery": "UNKNOWN"
},
"title": "FreeSWITCH: Out-of-bounds memory access in core STUN attribute parsing"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-49475",
"datePublished": "2026-06-09T16:00:32.931Z",
"dateReserved": "2026-05-30T04:17:43.095Z",
"dateUpdated": "2026-06-09T20:19:56.191Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-49472 (GCVE-0-2026-49472)
Vulnerability from nvd – Published: 2026-06-09 15:59 – Updated: 2026-06-10 13:45
VLAI
Title
FreeSWITCH includes a vulnerable function, PREFIX(prologTok)() from libexpat
Summary
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.0, FreeSWITCH includes a vulnerable function, PREFIX(prologTok)(), in libs/xmlrpc-c/lib/expat/xmltok/xmltok_impl.c, which was cloned from an outdated and vulnerable version in libexpat/libexpat. The function did not receive the corresponding security patch. This issue has been patched in version 1.11.0.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-116 - Improper Encoding or Escaping of Output
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/signalwire/freeswitch/security… | x_refsource_CONFIRM |
| https://github.com/signalwire/freeswitch/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| signalwire | freeswitch |
Affected:
< 1.11.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-49472",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T13:45:02.631956Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T13:45:21.533Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "freeswitch",
"vendor": "signalwire",
"versions": [
{
"status": "affected",
"version": "\u003c 1.11.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.0, FreeSWITCH includes a vulnerable function, PREFIX(prologTok)(), in libs/xmlrpc-c/lib/expat/xmltok/xmltok_impl.c, which was cloned from an outdated and vulnerable version in libexpat/libexpat. The function did not receive the corresponding security patch. This issue has been patched in version 1.11.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116: Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T15:59:49.383Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-4jm3-xpcm-mwwq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-4jm3-xpcm-mwwq"
},
{
"name": "https://github.com/signalwire/freeswitch/releases/tag/v1.11.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.11.0"
}
],
"source": {
"advisory": "GHSA-4jm3-xpcm-mwwq",
"discovery": "UNKNOWN"
},
"title": "FreeSWITCH includes a vulnerable function, PREFIX(prologTok)() from libexpat"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-49472",
"datePublished": "2026-06-09T15:59:49.383Z",
"dateReserved": "2026-05-30T04:17:43.094Z",
"dateUpdated": "2026-06-10T13:45:21.533Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45771 (GCVE-0-2026-45771)
Vulnerability from nvd – Published: 2026-06-09 15:51 – Updated: 2026-06-09 18:24
VLAI
Title
Freeswitch Denial-of-Service in SIP PUBLISH Requests via XML Entity Expansion
Summary
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.0, FreeSWITCH's bundled XML parser expands nested <!ENTITY> declarations without a depth or count bound, so a small DTD can describe a body that expands exponentially ("billion laughs"). The PIDF body of a SIP PUBLISH is fed to this parser before any digest check, letting an unauthenticated network attacker force unbounded CPU and memory consumption with a single request. This issue has been patched in version 1.11.0.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-776 - Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/signalwire/freeswitch/security… | x_refsource_CONFIRM |
| https://github.com/signalwire/freeswitch/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| signalwire | freeswitch |
Affected:
< 1.11.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45771",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T18:24:02.924387Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T18:24:19.380Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "freeswitch",
"vendor": "signalwire",
"versions": [
{
"status": "affected",
"version": "\u003c 1.11.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.0, FreeSWITCH\u0027s bundled XML parser expands nested \u003c!ENTITY\u003e declarations without a depth or count bound, so a small DTD can describe a body that expands exponentially (\"billion laughs\"). The PIDF body of a SIP PUBLISH is fed to this parser before any digest check, letting an unauthenticated network attacker force unbounded CPU and memory consumption with a single request. This issue has been patched in version 1.11.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-776",
"description": "CWE-776: Improper Restriction of Recursive Entity References in DTDs (\u0027XML Entity Expansion\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T15:51:49.484Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-5vjg-pv56-vg4c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-5vjg-pv56-vg4c"
},
{
"name": "https://github.com/signalwire/freeswitch/releases/tag/v1.11.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.11.0"
}
],
"source": {
"advisory": "GHSA-5vjg-pv56-vg4c",
"discovery": "UNKNOWN"
},
"title": "Freeswitch Denial-of-Service in SIP PUBLISH Requests via XML Entity Expansion"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45771",
"datePublished": "2026-06-09T15:51:49.484Z",
"dateReserved": "2026-05-13T07:45:21.251Z",
"dateUpdated": "2026-06-09T18:24:19.380Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-51443 (GCVE-0-2023-51443)
Vulnerability from nvd – Published: 2023-12-27 16:30 – Updated: 2025-11-04 18:21
VLAI
Title
FreeSWITCH susceptible to Denial of Service via DTLS Hello packets during call initiation
Summary
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.11, when handling DTLS-SRTP for media setup, FreeSWITCH is susceptible to Denial of Service due to a race condition in the hello handshake phase of the DTLS protocol. This attack can be done continuously, thus denying new DTLS-SRTP encrypted calls during the attack. If an attacker manages to send a ClientHello DTLS message with an invalid CipherSuite (such as `TLS_NULL_WITH_NULL_NULL`) to the port on the FreeSWITCH server that is expecting packets from the caller, a DTLS error is generated. This results in the media session being torn down, which is followed by teardown at signaling (SIP) level too. Abuse of this vulnerability may lead to a massive Denial of Service on vulnerable FreeSWITCH servers for calls that rely on DTLS-SRTP. To address this vulnerability, upgrade FreeSWITCH to 1.10.11 which includes the security fix. The solution implemented is to drop all packets from addresses that have not been validated by an ICE check.
Severity
7.5 (High)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-703 - Improper Check or Handling of Exceptional Conditions
Assigner
References
5 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| signalwire | freeswitch |
Affected:
< 1.10.11
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-04T18:21:32.334Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-39gv-hq72-j6m6",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-39gv-hq72-j6m6"
},
{
"name": "https://github.com/signalwire/freeswitch/commit/86cbda90b84ba186e508fbc7bfae469270a97d11",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/signalwire/freeswitch/commit/86cbda90b84ba186e508fbc7bfae469270a97d11"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/176393/FreeSWITCH-Denial-Of-Service.html"
},
{
"url": "http://packetstormsecurity.com/files/176311/FreeSWITCH-1.10.10-Denial-Of-Service.html"
},
{
"url": "http://seclists.org/fulldisclosure/2023/Dec/29"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-51443",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-27T15:19:54.460268Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-27T15:29:46.844Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "freeswitch",
"vendor": "signalwire",
"versions": [
{
"status": "affected",
"version": "\u003c 1.10.11"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.11, when handling DTLS-SRTP for media setup, FreeSWITCH is susceptible to Denial of Service due to a race condition in the hello handshake phase of the DTLS protocol. This attack can be done continuously, thus denying new DTLS-SRTP encrypted calls during the attack. If an attacker manages to send a ClientHello DTLS message with an invalid CipherSuite (such as `TLS_NULL_WITH_NULL_NULL`) to the port on the FreeSWITCH server that is expecting packets from the caller, a DTLS error is generated. This results in the media session being torn down, which is followed by teardown at signaling (SIP) level too. Abuse of this vulnerability may lead to a massive Denial of Service on vulnerable FreeSWITCH servers for calls that rely on DTLS-SRTP. To address this vulnerability, upgrade FreeSWITCH to 1.10.11 which includes the security fix. The solution implemented is to drop all packets from addresses that have not been validated by an ICE check."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-703",
"description": "CWE-703: Improper Check or Handling of Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-08T16:06:20.244Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-39gv-hq72-j6m6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-39gv-hq72-j6m6"
},
{
"name": "https://github.com/signalwire/freeswitch/commit/86cbda90b84ba186e508fbc7bfae469270a97d11",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/signalwire/freeswitch/commit/86cbda90b84ba186e508fbc7bfae469270a97d11"
},
{
"url": "http://packetstormsecurity.com/files/176393/FreeSWITCH-Denial-Of-Service.html"
}
],
"source": {
"advisory": "GHSA-39gv-hq72-j6m6",
"discovery": "UNKNOWN"
},
"title": "FreeSWITCH susceptible to Denial of Service via DTLS Hello packets during call initiation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-51443",
"datePublished": "2023-12-27T16:30:48.425Z",
"dateReserved": "2023-12-19T13:52:41.787Z",
"dateUpdated": "2025-11-04T18:21:32.334Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-40019 (GCVE-0-2023-40019)
Vulnerability from nvd – Published: 2023-09-15 19:34 – Updated: 2024-09-25 18:24
VLAI
Title
FreeSWITCH allows authorized users to cause a denial of service attack by sending re-INVITE with SDP containing duplicate codec names
Summary
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.10, FreeSWITCH allows authorized users to cause a denial of service attack by sending re-INVITE with SDP containing duplicate codec names. When a call in FreeSWITCH completes codec negotiation, the `codec_string` channel variable is set with the result of the negotiation. On a subsequent re-negotiation, if an SDP is offered that contains codecs with the same names but with different formats, there may be too many codec matches detected by FreeSWITCH leading to overflows of its internal arrays. By abusing this vulnerability, an attacker is able to corrupt stack of FreeSWITCH leading to an undefined behavior of the system or simply crash it. Version 1.10.10 contains a patch for this issue.
Severity
7.5 (High)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/signalwire/freeswitch/security… | x_refsource_CONFIRM |
| https://github.com/signalwire/freeswitch/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| signalwire | freeswitch |
Affected:
< 1.10.10
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:24:54.547Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-gjj5-79p2-9g3q",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-gjj5-79p2-9g3q"
},
{
"name": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.10",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.10"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-40019",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-25T18:23:34.223244Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-25T18:24:36.310Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "freeswitch",
"vendor": "signalwire",
"versions": [
{
"status": "affected",
"version": "\u003c 1.10.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.10, FreeSWITCH allows authorized users to cause a denial of service attack by sending re-INVITE with SDP containing duplicate codec names. When a call in FreeSWITCH completes codec negotiation, the `codec_string` channel variable is set with the result of the negotiation. On a subsequent re-negotiation, if an SDP is offered that contains codecs with the same names but with different formats, there may be too many codec matches detected by FreeSWITCH leading to overflows of its internal arrays. By abusing this vulnerability, an attacker is able to corrupt stack of FreeSWITCH leading to an undefined behavior of the system or simply crash it. Version 1.10.10 contains a patch for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-15T19:34:32.429Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-gjj5-79p2-9g3q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-gjj5-79p2-9g3q"
},
{
"name": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.10",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.10"
}
],
"source": {
"advisory": "GHSA-gjj5-79p2-9g3q",
"discovery": "UNKNOWN"
},
"title": "FreeSWITCH allows authorized users to cause a denial of service attack by sending re-INVITE with SDP containing duplicate codec names"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-40019",
"datePublished": "2023-09-15T19:34:32.429Z",
"dateReserved": "2023-08-08T13:46:25.242Z",
"dateUpdated": "2024-09-25T18:24:36.310Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-40018 (GCVE-0-2023-40018)
Vulnerability from nvd – Published: 2023-09-15 19:32 – Updated: 2024-09-25 18:02
VLAI
Title
FreeSWITCH allows remote users to trigger out of bounds write by offering an ICE candidate with unknown component ID
Summary
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.10, FreeSWITCH allows remote users to trigger out of bounds write by offering an ICE candidate with unknown component ID. When an SDP is offered with any ICE candidates with an unknown component ID, FreeSWITCH will make an out of bounds write to its arrays. By abusing this vulnerability, an attacker is able to corrupt FreeSWITCH memory leading to an undefined behavior of the system or a crash of it. Version 1.10.10 contains a patch for this issue.
Severity
7.5 (High)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-787 - Out-of-bounds Write
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/signalwire/freeswitch/security… | x_refsource_CONFIRM |
| https://github.com/signalwire/freeswitch/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| signalwire | freeswitch |
Affected:
< 1.10.10
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:24:54.689Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-7mwp-86fv-hcg3",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-7mwp-86fv-hcg3"
},
{
"name": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.10",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.10"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-40018",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-25T18:02:51.253210Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-25T18:02:59.227Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "freeswitch",
"vendor": "signalwire",
"versions": [
{
"status": "affected",
"version": "\u003c 1.10.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.10, FreeSWITCH allows remote users to trigger out of bounds write by offering an ICE candidate with unknown component ID. When an SDP is offered with any ICE candidates with an unknown component ID, FreeSWITCH will make an out of bounds write to its arrays. By abusing this vulnerability, an attacker is able to corrupt FreeSWITCH memory leading to an undefined behavior of the system or a crash of it. Version 1.10.10 contains a patch for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787: Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-15T19:32:19.207Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-7mwp-86fv-hcg3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-7mwp-86fv-hcg3"
},
{
"name": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.10",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.10"
}
],
"source": {
"advisory": "GHSA-7mwp-86fv-hcg3",
"discovery": "UNKNOWN"
},
"title": "FreeSWITCH allows remote users to trigger out of bounds write by offering an ICE candidate with unknown component ID"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-40018",
"datePublished": "2023-09-15T19:32:19.207Z",
"dateReserved": "2023-08-08T13:46:25.242Z",
"dateUpdated": "2024-09-25T18:02:59.227Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-32307 (GCVE-0-2023-32307)
Vulnerability from nvd – Published: 2023-05-26 22:11 – Updated: 2025-02-13 16:50
VLAI
Title
heap-over-flow and integer-overflow in sofia-sip
Summary
Sofia-SIP is an open-source SIP User-Agent library, compliant with the IETF RFC3261 specification.
Referring to [GHSA-8599-x7rq-fr54](https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-8599-x7rq-fr54), several other potential heap-over-flow and integer-overflow in stun_parse_attr_error_code and stun_parse_attr_uint32 were found because the lack of attributes length check when Sofia-SIP handles STUN packets. The previous patch of [GHSA-8599-x7rq-fr54](https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-8599-x7rq-fr54) fixed the vulnerability when attr_type did not match the enum value, but there are also vulnerabilities in the handling of other valid cases. The OOB read and integer-overflow made by attacker may lead to crash, high consumption of memory or even other more serious consequences. These issue have been addressed in version 1.13.15. Users are advised to upgrade.
Severity
7.5 (High)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| freeswitch | sofia-sip |
Affected:
< 1.13.15
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:10:24.454Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-rm4c-ccvf-ff9c",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-rm4c-ccvf-ff9c"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00002.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.debian.org/security/2023/dsa-5431"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OY66DOQ3B7GULJTI66X5HNX5FU3P65CX/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-32307",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-14T19:20:35.060813Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-14T19:20:38.299Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-rm4c-ccvf-ff9c"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "sofia-sip",
"vendor": "freeswitch",
"versions": [
{
"status": "affected",
"version": "\u003c 1.13.15"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sofia-SIP is an open-source SIP User-Agent library, compliant with the IETF RFC3261 specification.\nReferring to [GHSA-8599-x7rq-fr54](https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-8599-x7rq-fr54), several other potential heap-over-flow and integer-overflow in stun_parse_attr_error_code and stun_parse_attr_uint32 were found because the lack of attributes length check when Sofia-SIP handles STUN packets. The previous patch of [GHSA-8599-x7rq-fr54](https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-8599-x7rq-fr54) fixed the vulnerability when attr_type did not match the enum value, but there are also vulnerabilities in the handling of other valid cases. The OOB read and integer-overflow made by attacker may lead to crash, high consumption of memory or even other more serious consequences. These issue have been addressed in version 1.13.15. Users are advised to upgrade."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190: Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122: Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-27T03:06:35.254Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-rm4c-ccvf-ff9c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-rm4c-ccvf-ff9c"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00002.html"
},
{
"url": "https://www.debian.org/security/2023/dsa-5431"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OY66DOQ3B7GULJTI66X5HNX5FU3P65CX/"
}
],
"source": {
"advisory": "GHSA-rm4c-ccvf-ff9c",
"discovery": "UNKNOWN"
},
"title": "heap-over-flow and integer-overflow in sofia-sip"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-32307",
"datePublished": "2023-05-26T22:11:16.875Z",
"dateReserved": "2023-05-08T13:26:03.878Z",
"dateUpdated": "2025-02-13T16:50:31.155Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-22741 (GCVE-0-2023-22741)
Vulnerability from nvd – Published: 2023-01-19 21:20 – Updated: 2025-03-10 21:21
VLAI
Title
heap-over-flow in stun_parse_attribute in sofia-sip
Summary
Sofia-SIP is an open-source SIP User-Agent library, compliant with the IETF RFC3261 specification. In affected versions Sofia-SIP **lacks both message length and attributes length checks** when it handles STUN packets, leading to controllable heap-over-flow. For example, in stun_parse_attribute(), after we get the attribute's type and length value, the length will be used directly to copy from the heap, regardless of the message's left size. Since network users control the overflowed length, and the data is written to heap chunks later, attackers may achieve remote code execution by heap grooming or other exploitation methods. The bug was introduced 16 years ago in sofia-sip 1.12.4 (plus some patches through 12/21/2006) to in tree libs with git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@3774 d0543943-73ff-0310-b7d9-9358b9ac24b2. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity
9.8 (Critical)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/freeswitch/sofia-sip/security/… | x_refsource_CONFIRM |
| https://github.com/freeswitch/sofia-sip/commit/da… | x_refsource_MISC |
| https://www.debian.org/security/2023/dsa-5410 |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| freeswitch | sofia-sip |
Affected:
< 1.13.11
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:20:30.275Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-8599-x7rq-fr54",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-8599-x7rq-fr54"
},
{
"name": "https://github.com/freeswitch/sofia-sip/commit/da53e4fbcb138b080a75576dd49c1fff2ada2764",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/freeswitch/sofia-sip/commit/da53e4fbcb138b080a75576dd49c1fff2ada2764"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.debian.org/security/2023/dsa-5410"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-22741",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-10T21:02:31.088557Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-10T21:21:43.727Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "sofia-sip",
"vendor": "freeswitch",
"versions": [
{
"status": "affected",
"version": "\u003c 1.13.11"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sofia-SIP is an open-source SIP User-Agent library, compliant with the IETF RFC3261 specification. In affected versions Sofia-SIP **lacks both message length and attributes length checks** when it handles STUN packets, leading to controllable heap-over-flow. For example, in stun_parse_attribute(), after we get the attribute\u0027s type and length value, the length will be used directly to copy from the heap, regardless of the message\u0027s left size. Since network users control the overflowed length, and the data is written to heap chunks later, attackers may achieve remote code execution by heap grooming or other exploitation methods. The bug was introduced 16 years ago in sofia-sip 1.12.4 (plus some patches through 12/21/2006) to in tree libs with git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@3774 d0543943-73ff-0310-b7d9-9358b9ac24b2. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-120",
"description": "CWE-120: Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-24T20:06:39.210Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-8599-x7rq-fr54",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-8599-x7rq-fr54"
},
{
"name": "https://github.com/freeswitch/sofia-sip/commit/da53e4fbcb138b080a75576dd49c1fff2ada2764",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/freeswitch/sofia-sip/commit/da53e4fbcb138b080a75576dd49c1fff2ada2764"
},
{
"url": "https://www.debian.org/security/2023/dsa-5410"
}
],
"source": {
"advisory": "GHSA-8599-x7rq-fr54",
"discovery": "UNKNOWN"
},
"title": "heap-over-flow in stun_parse_attribute in sofia-sip"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-22741",
"datePublished": "2023-01-19T21:20:22.744Z",
"dateReserved": "2023-01-06T14:21:05.892Z",
"dateUpdated": "2025-03-10T21:21:43.727Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-31003 (GCVE-0-2022-31003)
Vulnerability from nvd – Published: 2022-05-31 00:00 – Updated: 2025-04-22 17:55
VLAI
Title
Heap-based Buffer Overflow and Out-of-bounds Write in Sofia-SIP
Summary
Sofia-SIP is an open-source Session Initiation Protocol (SIP) User-Agent library. Prior to version 1.13.8, when parsing each line of a sdp message, `rest = record + 2` will access the memory behind `\0` and cause an out-of-bounds write. An attacker can send a message with evil sdp to FreeSWITCH, causing a crash or more serious consequence, such as remote code execution. Version 1.13.8 contains a patch for this issue.
Severity
9.1 (Critical)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
5 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| freeswitch | sofia-sip |
Affected:
< 1.13.8
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:03:40.261Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-8w5j-6g2j-pxcp"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/freeswitch/sofia-sip/commit/907f2ac0ee504c93ebfefd676b4632a3575908c9"
},
{
"name": "[debian-lts-announce] 20220902 [SECURITY] [DLA 3091-1] sofia-sip security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00001.html"
},
{
"name": "GLSA-202210-18",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202210-18"
},
{
"name": "DSA-5410",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.debian.org/security/2023/dsa-5410"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-31003",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T15:41:07.596387Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T17:55:56.743Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "sofia-sip",
"vendor": "freeswitch",
"versions": [
{
"status": "affected",
"version": "\u003c 1.13.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sofia-SIP is an open-source Session Initiation Protocol (SIP) User-Agent library. Prior to version 1.13.8, when parsing each line of a sdp message, `rest = record + 2` will access the memory behind `\\0` and cause an out-of-bounds write. An attacker can send a message with evil sdp to FreeSWITCH, causing a crash or more serious consequence, such as remote code execution. Version 1.13.8 contains a patch for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122: Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787: Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-24T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-8w5j-6g2j-pxcp"
},
{
"url": "https://github.com/freeswitch/sofia-sip/commit/907f2ac0ee504c93ebfefd676b4632a3575908c9"
},
{
"name": "[debian-lts-announce] 20220902 [SECURITY] [DLA 3091-1] sofia-sip security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00001.html"
},
{
"name": "GLSA-202210-18",
"tags": [
"vendor-advisory"
],
"url": "https://security.gentoo.org/glsa/202210-18"
},
{
"name": "DSA-5410",
"tags": [
"vendor-advisory"
],
"url": "https://www.debian.org/security/2023/dsa-5410"
}
],
"source": {
"advisory": "GHSA-8w5j-6g2j-pxcp",
"discovery": "UNKNOWN"
},
"title": "Heap-based Buffer Overflow and Out-of-bounds Write in Sofia-SIP"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-31003",
"datePublished": "2022-05-31T00:00:00.000Z",
"dateReserved": "2022-05-18T00:00:00.000Z",
"dateUpdated": "2025-04-22T17:55:56.743Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-49848 (GCVE-0-2026-49848)
Vulnerability from cvelistv5 – Published: 2026-06-09 16:05 – Updated: 2026-06-09 16:53
VLAI
Title
FreeSWITCH: Pre-authentication `userVariables` injection in `mod_verto`
Summary
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, mod_verto's check_auth userauth branch wrote request-supplied userVariables into the connection state before comparing the supplied password. The writes are append-only and the connection is not closed on a failed compare, so values declared on bad-password attempts persisted on the same WebSocket and carried into a subsequent successful login on that connection. This issue has been patched in version 1.11.1.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-287 - Improper Authentication
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/signalwire/freeswitch/security… | x_refsource_CONFIRM |
| https://github.com/signalwire/freeswitch/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| signalwire | freeswitch |
Affected:
< 1.11.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-49848",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T16:50:30.238651Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T16:53:15.989Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "freeswitch",
"vendor": "signalwire",
"versions": [
{
"status": "affected",
"version": "\u003c 1.11.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, mod_verto\u0027s check_auth userauth branch wrote request-supplied userVariables into the connection state before comparing the supplied password. The writes are append-only and the connection is not closed on a failed compare, so values declared on bad-password attempts persisted on the same WebSocket and carried into a subsequent successful login on that connection. This issue has been patched in version 1.11.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T16:05:42.064Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-j38x-xm7f-9p2f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-j38x-xm7f-9p2f"
},
{
"name": "https://github.com/signalwire/freeswitch/releases/tag/v1.11.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.11.1"
}
],
"source": {
"advisory": "GHSA-j38x-xm7f-9p2f",
"discovery": "UNKNOWN"
},
"title": "FreeSWITCH: Pre-authentication `userVariables` injection in `mod_verto`"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-49848",
"datePublished": "2026-06-09T16:05:42.064Z",
"dateReserved": "2026-06-01T22:03:19.640Z",
"dateUpdated": "2026-06-09T16:53:15.989Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-49847 (GCVE-0-2026-49847)
Vulnerability from cvelistv5 – Published: 2026-06-09 16:05 – Updated: 2026-06-09 20:20
VLAI
Title
FreeSWITCH: Stack overflow in bundled cJSON parser via deeply nested JSON
Summary
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, a single unauthenticated WebSocket frame containing a deeply nested JSON document crashes the FreeSWITCH process via stack overflow, terminating all calls and sessions on the host. The recursion drives the worker thread's stack pointer into the stack guard page, raising SIGSEGV from the kernel before any usable write primitive develops. This issue has been patched in version 1.11.1.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-674 - Uncontrolled Recursion
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/signalwire/freeswitch/security… | x_refsource_CONFIRM |
| https://github.com/signalwire/freeswitch/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| signalwire | freeswitch |
Affected:
< 1.11.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-49847",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T20:20:23.647601Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T20:20:37.647Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "freeswitch",
"vendor": "signalwire",
"versions": [
{
"status": "affected",
"version": "\u003c 1.11.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, a single unauthenticated WebSocket frame containing a deeply nested JSON document crashes the FreeSWITCH process via stack overflow, terminating all calls and sessions on the host. The recursion drives the worker thread\u0027s stack pointer into the stack guard page, raising SIGSEGV from the kernel before any usable write primitive develops. This issue has been patched in version 1.11.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-674",
"description": "CWE-674: Uncontrolled Recursion",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T16:05:08.869Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-2v74-pcgh-75wg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-2v74-pcgh-75wg"
},
{
"name": "https://github.com/signalwire/freeswitch/releases/tag/v1.11.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.11.1"
}
],
"source": {
"advisory": "GHSA-2v74-pcgh-75wg",
"discovery": "UNKNOWN"
},
"title": "FreeSWITCH: Stack overflow in bundled cJSON parser via deeply nested JSON"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-49847",
"datePublished": "2026-06-09T16:05:08.869Z",
"dateReserved": "2026-06-01T22:03:19.640Z",
"dateUpdated": "2026-06-09T20:20:37.647Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-49843 (GCVE-0-2026-49843)
Vulnerability from cvelistv5 – Published: 2026-06-09 16:04 – Updated: 2026-06-10 13:47
VLAI
Title
FreeSWITCH: Pre-authentication session eviction via attacker-chosen `sessid` in `mod_verto`
Summary
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, mod_verto's JSON-RPC handler bound the connection to the client-supplied sessid on the first frame, before the authentication gate. Binding inserts the connection into the global session hash and, on a key collision, drops the prior occupant of that slot — sending it a verto.punt, detaching its calls, and closing its socket. An unauthenticated network attacker who knows a target session UUID could therefore evict the legitimate client. This issue has been patched in version 1.11.1.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-287 - Improper Authentication
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/signalwire/freeswitch/security… | x_refsource_CONFIRM |
| https://github.com/signalwire/freeswitch/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| signalwire | freeswitch |
Affected:
< 1.11.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-49843",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T13:46:43.345537Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T13:47:02.332Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "freeswitch",
"vendor": "signalwire",
"versions": [
{
"status": "affected",
"version": "\u003c 1.11.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, mod_verto\u0027s JSON-RPC handler bound the connection to the client-supplied sessid on the first frame, before the authentication gate. Binding inserts the connection into the global session hash and, on a key collision, drops the prior occupant of that slot \u2014 sending it a verto.punt, detaching its calls, and closing its socket. An unauthenticated network attacker who knows a target session UUID could therefore evict the legitimate client. This issue has been patched in version 1.11.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T16:04:55.308Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-9457-fxr9-x78m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-9457-fxr9-x78m"
},
{
"name": "https://github.com/signalwire/freeswitch/releases/tag/v1.11.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.11.1"
}
],
"source": {
"advisory": "GHSA-9457-fxr9-x78m",
"discovery": "UNKNOWN"
},
"title": "FreeSWITCH: Pre-authentication session eviction via attacker-chosen `sessid` in `mod_verto`"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-49843",
"datePublished": "2026-06-09T16:04:55.308Z",
"dateReserved": "2026-06-01T18:50:36.057Z",
"dateUpdated": "2026-06-10T13:47:02.332Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-49842 (GCVE-0-2026-49842)
Vulnerability from cvelistv5 – Published: 2026-06-09 16:02 – Updated: 2026-06-09 18:39
VLAI
Title
FreeSWITCH: Pre-authentication bandwidth amplification via `mod_verto` speed-test frames
Summary
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, mod_verto's WebSocket frame loop intercepts a #-prefixed speed-test protocol (#SPU / #SPB / #SPE) before any authentication check. The declared payload size in #SPU was parsed with atoi() and only rejected non-positive values, so an unauthenticated peer could request up to INT_MAX bytes. The server then wrote roughly size * 10 bytes back during the download phase, on the order of 20 GB per request, yielding strong outbound bandwidth amplification from a short request. This issue has been patched in version 1.11.1.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/signalwire/freeswitch/security… | x_refsource_CONFIRM |
| https://github.com/signalwire/freeswitch/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| signalwire | freeswitch |
Affected:
< 1.11.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-49842",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T18:05:28.761050Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T18:39:33.710Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "freeswitch",
"vendor": "signalwire",
"versions": [
{
"status": "affected",
"version": "\u003c 1.11.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, mod_verto\u0027s WebSocket frame loop intercepts a #-prefixed speed-test protocol (#SPU / #SPB / #SPE) before any authentication check. The declared payload size in #SPU was parsed with atoi() and only rejected non-positive values, so an unauthenticated peer could request up to INT_MAX bytes. The server then wrote roughly size * 10 bytes back during the download phase, on the order of 20 GB per request, yielding strong outbound bandwidth amplification from a short request. This issue has been patched in version 1.11.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T16:02:58.096Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-p3gx-p2w7-wp35",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-p3gx-p2w7-wp35"
},
{
"name": "https://github.com/signalwire/freeswitch/releases/tag/v1.11.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.11.1"
}
],
"source": {
"advisory": "GHSA-p3gx-p2w7-wp35",
"discovery": "UNKNOWN"
},
"title": "FreeSWITCH: Pre-authentication bandwidth amplification via `mod_verto` speed-test frames"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-49842",
"datePublished": "2026-06-09T16:02:58.096Z",
"dateReserved": "2026-06-01T18:50:36.057Z",
"dateUpdated": "2026-06-09T18:39:33.710Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-49841 (GCVE-0-2026-49841)
Vulnerability from cvelistv5 – Published: 2026-06-09 16:02 – Updated: 2026-06-11 03:55
VLAI
Title
FreeSWITCH: Pre-authentication heap buffer overflow in `mod_verto` HTTP POST body read
Summary
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, the mod_verto HTTP request handler allocates a fixed 2 MiB buffer for a POST application/x-www-form-urlencoded body but accepts Content-Length up to just under 10 MiB. The body-read loop is bounded by Content-Length rather than the buffer size, producing an attacker-controlled heap overflow of up to ~8 MiB -- before the HTTP basic-auth check runs. This issue has been patched in version 1.11.1.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/signalwire/freeswitch/security… | x_refsource_CONFIRM |
| https://github.com/signalwire/freeswitch/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| signalwire | freeswitch |
Affected:
< 1.11.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-49841",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T03:55:21.275Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "freeswitch",
"vendor": "signalwire",
"versions": [
{
"status": "affected",
"version": "\u003c 1.11.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, the mod_verto HTTP request handler allocates a fixed 2 MiB buffer for a POST application/x-www-form-urlencoded body but accepts Content-Length up to just under 10 MiB. The body-read loop is bounded by Content-Length rather than the buffer size, producing an attacker-controlled heap overflow of up to ~8 MiB -- before the HTTP basic-auth check runs. This issue has been patched in version 1.11.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122: Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-131",
"description": "CWE-131: Incorrect Calculation of Buffer Size",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T16:02:24.116Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-wfrq-qvg2-f88f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-wfrq-qvg2-f88f"
},
{
"name": "https://github.com/signalwire/freeswitch/releases/tag/v1.11.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.11.1"
}
],
"source": {
"advisory": "GHSA-wfrq-qvg2-f88f",
"discovery": "UNKNOWN"
},
"title": "FreeSWITCH: Pre-authentication heap buffer overflow in `mod_verto` HTTP POST body read"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-49841",
"datePublished": "2026-06-09T16:02:24.116Z",
"dateReserved": "2026-06-01T18:50:36.057Z",
"dateUpdated": "2026-06-11T03:55:21.275Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-49840 (GCVE-0-2026-49840)
Vulnerability from cvelistv5 – Published: 2026-06-09 16:00 – Updated: 2026-06-09 17:00
VLAI
Title
FreeSWITCH: Pre-authentication heap buffer overflow in libesl `Content-Length` parsing
Summary
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, esl_recv_event() parses Content-Length with atol() and passes the result straight to malloc(len + 1) with no sign or magnitude check. A malicious or man-in-the-middle ESL peer can send a frame with a negative Content-Length to corrupt the heap of, or crash, any process linked against libesl, before the client has authenticated to that peer. This issue has been patched in version 1.11.1.
Severity
9.1 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/signalwire/freeswitch/security… | x_refsource_CONFIRM |
| https://github.com/signalwire/freeswitch/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| signalwire | freeswitch |
Affected:
< 1.11.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-49840",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T16:59:32.826404Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T17:00:21.313Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "freeswitch",
"vendor": "signalwire",
"versions": [
{
"status": "affected",
"version": "\u003c 1.11.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, esl_recv_event() parses Content-Length with atol() and passes the result straight to malloc(len + 1) with no sign or magnitude check. A malicious or man-in-the-middle ESL peer can send a frame with a negative Content-Length to corrupt the heap of, or crash, any process linked against libesl, before the client has authenticated to that peer. This issue has been patched in version 1.11.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122: Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-195",
"description": "CWE-195: Signed to Unsigned Conversion Error",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787: Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T16:00:56.687Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-g597-9fgg-ghg9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-g597-9fgg-ghg9"
},
{
"name": "https://github.com/signalwire/freeswitch/releases/tag/v1.11.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.11.1"
}
],
"source": {
"advisory": "GHSA-g597-9fgg-ghg9",
"discovery": "UNKNOWN"
},
"title": "FreeSWITCH: Pre-authentication heap buffer overflow in libesl `Content-Length` parsing"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-49840",
"datePublished": "2026-06-09T16:00:56.687Z",
"dateReserved": "2026-06-01T18:50:36.056Z",
"dateUpdated": "2026-06-09T17:00:21.313Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-49475 (GCVE-0-2026-49475)
Vulnerability from cvelistv5 – Published: 2026-06-09 16:00 – Updated: 2026-06-09 20:19
VLAI
Title
FreeSWITCH: Out-of-bounds memory access in core STUN attribute parsing
Summary
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.0, a STUN packet whose declared attribute length is shorter than the structure the parser casts to causes the parser to read and write past the end of the attribute, producing an out-of-bounds memory access on the per-leg media buffer. This issue has been patched in version 1.11.0.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/signalwire/freeswitch/security… | x_refsource_CONFIRM |
| https://github.com/signalwire/freeswitch/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| signalwire | freeswitch |
Affected:
< 1.11.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-49475",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T20:19:46.049879Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T20:19:56.191Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "freeswitch",
"vendor": "signalwire",
"versions": [
{
"status": "affected",
"version": "\u003c 1.11.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.0, a STUN packet whose declared attribute length is shorter than the structure the parser casts to causes the parser to read and write past the end of the attribute, producing an out-of-bounds memory access on the per-leg media buffer. This issue has been patched in version 1.11.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125: Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787: Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T16:00:32.931Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-9j6h-hc95-q926",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-9j6h-hc95-q926"
},
{
"name": "https://github.com/signalwire/freeswitch/releases/tag/v1.11.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.11.0"
}
],
"source": {
"advisory": "GHSA-9j6h-hc95-q926",
"discovery": "UNKNOWN"
},
"title": "FreeSWITCH: Out-of-bounds memory access in core STUN attribute parsing"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-49475",
"datePublished": "2026-06-09T16:00:32.931Z",
"dateReserved": "2026-05-30T04:17:43.095Z",
"dateUpdated": "2026-06-09T20:19:56.191Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-49472 (GCVE-0-2026-49472)
Vulnerability from cvelistv5 – Published: 2026-06-09 15:59 – Updated: 2026-06-10 13:45
VLAI
Title
FreeSWITCH includes a vulnerable function, PREFIX(prologTok)() from libexpat
Summary
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.0, FreeSWITCH includes a vulnerable function, PREFIX(prologTok)(), in libs/xmlrpc-c/lib/expat/xmltok/xmltok_impl.c, which was cloned from an outdated and vulnerable version in libexpat/libexpat. The function did not receive the corresponding security patch. This issue has been patched in version 1.11.0.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-116 - Improper Encoding or Escaping of Output
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/signalwire/freeswitch/security… | x_refsource_CONFIRM |
| https://github.com/signalwire/freeswitch/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| signalwire | freeswitch |
Affected:
< 1.11.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-49472",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T13:45:02.631956Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T13:45:21.533Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "freeswitch",
"vendor": "signalwire",
"versions": [
{
"status": "affected",
"version": "\u003c 1.11.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.0, FreeSWITCH includes a vulnerable function, PREFIX(prologTok)(), in libs/xmlrpc-c/lib/expat/xmltok/xmltok_impl.c, which was cloned from an outdated and vulnerable version in libexpat/libexpat. The function did not receive the corresponding security patch. This issue has been patched in version 1.11.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116: Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T15:59:49.383Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-4jm3-xpcm-mwwq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-4jm3-xpcm-mwwq"
},
{
"name": "https://github.com/signalwire/freeswitch/releases/tag/v1.11.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.11.0"
}
],
"source": {
"advisory": "GHSA-4jm3-xpcm-mwwq",
"discovery": "UNKNOWN"
},
"title": "FreeSWITCH includes a vulnerable function, PREFIX(prologTok)() from libexpat"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-49472",
"datePublished": "2026-06-09T15:59:49.383Z",
"dateReserved": "2026-05-30T04:17:43.094Z",
"dateUpdated": "2026-06-10T13:45:21.533Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45771 (GCVE-0-2026-45771)
Vulnerability from cvelistv5 – Published: 2026-06-09 15:51 – Updated: 2026-06-09 18:24
VLAI
Title
Freeswitch Denial-of-Service in SIP PUBLISH Requests via XML Entity Expansion
Summary
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.0, FreeSWITCH's bundled XML parser expands nested <!ENTITY> declarations without a depth or count bound, so a small DTD can describe a body that expands exponentially ("billion laughs"). The PIDF body of a SIP PUBLISH is fed to this parser before any digest check, letting an unauthenticated network attacker force unbounded CPU and memory consumption with a single request. This issue has been patched in version 1.11.0.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-776 - Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/signalwire/freeswitch/security… | x_refsource_CONFIRM |
| https://github.com/signalwire/freeswitch/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| signalwire | freeswitch |
Affected:
< 1.11.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45771",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T18:24:02.924387Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T18:24:19.380Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "freeswitch",
"vendor": "signalwire",
"versions": [
{
"status": "affected",
"version": "\u003c 1.11.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.0, FreeSWITCH\u0027s bundled XML parser expands nested \u003c!ENTITY\u003e declarations without a depth or count bound, so a small DTD can describe a body that expands exponentially (\"billion laughs\"). The PIDF body of a SIP PUBLISH is fed to this parser before any digest check, letting an unauthenticated network attacker force unbounded CPU and memory consumption with a single request. This issue has been patched in version 1.11.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-776",
"description": "CWE-776: Improper Restriction of Recursive Entity References in DTDs (\u0027XML Entity Expansion\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T15:51:49.484Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-5vjg-pv56-vg4c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-5vjg-pv56-vg4c"
},
{
"name": "https://github.com/signalwire/freeswitch/releases/tag/v1.11.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.11.0"
}
],
"source": {
"advisory": "GHSA-5vjg-pv56-vg4c",
"discovery": "UNKNOWN"
},
"title": "Freeswitch Denial-of-Service in SIP PUBLISH Requests via XML Entity Expansion"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45771",
"datePublished": "2026-06-09T15:51:49.484Z",
"dateReserved": "2026-05-13T07:45:21.251Z",
"dateUpdated": "2026-06-09T18:24:19.380Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-51443 (GCVE-0-2023-51443)
Vulnerability from cvelistv5 – Published: 2023-12-27 16:30 – Updated: 2025-11-04 18:21
VLAI
Title
FreeSWITCH susceptible to Denial of Service via DTLS Hello packets during call initiation
Summary
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.11, when handling DTLS-SRTP for media setup, FreeSWITCH is susceptible to Denial of Service due to a race condition in the hello handshake phase of the DTLS protocol. This attack can be done continuously, thus denying new DTLS-SRTP encrypted calls during the attack. If an attacker manages to send a ClientHello DTLS message with an invalid CipherSuite (such as `TLS_NULL_WITH_NULL_NULL`) to the port on the FreeSWITCH server that is expecting packets from the caller, a DTLS error is generated. This results in the media session being torn down, which is followed by teardown at signaling (SIP) level too. Abuse of this vulnerability may lead to a massive Denial of Service on vulnerable FreeSWITCH servers for calls that rely on DTLS-SRTP. To address this vulnerability, upgrade FreeSWITCH to 1.10.11 which includes the security fix. The solution implemented is to drop all packets from addresses that have not been validated by an ICE check.
Severity
7.5 (High)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-703 - Improper Check or Handling of Exceptional Conditions
Assigner
References
5 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| signalwire | freeswitch |
Affected:
< 1.10.11
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-04T18:21:32.334Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-39gv-hq72-j6m6",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-39gv-hq72-j6m6"
},
{
"name": "https://github.com/signalwire/freeswitch/commit/86cbda90b84ba186e508fbc7bfae469270a97d11",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/signalwire/freeswitch/commit/86cbda90b84ba186e508fbc7bfae469270a97d11"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/176393/FreeSWITCH-Denial-Of-Service.html"
},
{
"url": "http://packetstormsecurity.com/files/176311/FreeSWITCH-1.10.10-Denial-Of-Service.html"
},
{
"url": "http://seclists.org/fulldisclosure/2023/Dec/29"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-51443",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-27T15:19:54.460268Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-27T15:29:46.844Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "freeswitch",
"vendor": "signalwire",
"versions": [
{
"status": "affected",
"version": "\u003c 1.10.11"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.11, when handling DTLS-SRTP for media setup, FreeSWITCH is susceptible to Denial of Service due to a race condition in the hello handshake phase of the DTLS protocol. This attack can be done continuously, thus denying new DTLS-SRTP encrypted calls during the attack. If an attacker manages to send a ClientHello DTLS message with an invalid CipherSuite (such as `TLS_NULL_WITH_NULL_NULL`) to the port on the FreeSWITCH server that is expecting packets from the caller, a DTLS error is generated. This results in the media session being torn down, which is followed by teardown at signaling (SIP) level too. Abuse of this vulnerability may lead to a massive Denial of Service on vulnerable FreeSWITCH servers for calls that rely on DTLS-SRTP. To address this vulnerability, upgrade FreeSWITCH to 1.10.11 which includes the security fix. The solution implemented is to drop all packets from addresses that have not been validated by an ICE check."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-703",
"description": "CWE-703: Improper Check or Handling of Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-08T16:06:20.244Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-39gv-hq72-j6m6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-39gv-hq72-j6m6"
},
{
"name": "https://github.com/signalwire/freeswitch/commit/86cbda90b84ba186e508fbc7bfae469270a97d11",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/signalwire/freeswitch/commit/86cbda90b84ba186e508fbc7bfae469270a97d11"
},
{
"url": "http://packetstormsecurity.com/files/176393/FreeSWITCH-Denial-Of-Service.html"
}
],
"source": {
"advisory": "GHSA-39gv-hq72-j6m6",
"discovery": "UNKNOWN"
},
"title": "FreeSWITCH susceptible to Denial of Service via DTLS Hello packets during call initiation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-51443",
"datePublished": "2023-12-27T16:30:48.425Z",
"dateReserved": "2023-12-19T13:52:41.787Z",
"dateUpdated": "2025-11-04T18:21:32.334Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-40019 (GCVE-0-2023-40019)
Vulnerability from cvelistv5 – Published: 2023-09-15 19:34 – Updated: 2024-09-25 18:24
VLAI
Title
FreeSWITCH allows authorized users to cause a denial of service attack by sending re-INVITE with SDP containing duplicate codec names
Summary
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.10, FreeSWITCH allows authorized users to cause a denial of service attack by sending re-INVITE with SDP containing duplicate codec names. When a call in FreeSWITCH completes codec negotiation, the `codec_string` channel variable is set with the result of the negotiation. On a subsequent re-negotiation, if an SDP is offered that contains codecs with the same names but with different formats, there may be too many codec matches detected by FreeSWITCH leading to overflows of its internal arrays. By abusing this vulnerability, an attacker is able to corrupt stack of FreeSWITCH leading to an undefined behavior of the system or simply crash it. Version 1.10.10 contains a patch for this issue.
Severity
7.5 (High)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/signalwire/freeswitch/security… | x_refsource_CONFIRM |
| https://github.com/signalwire/freeswitch/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| signalwire | freeswitch |
Affected:
< 1.10.10
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:24:54.547Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-gjj5-79p2-9g3q",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-gjj5-79p2-9g3q"
},
{
"name": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.10",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.10"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-40019",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-25T18:23:34.223244Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-25T18:24:36.310Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "freeswitch",
"vendor": "signalwire",
"versions": [
{
"status": "affected",
"version": "\u003c 1.10.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.10, FreeSWITCH allows authorized users to cause a denial of service attack by sending re-INVITE with SDP containing duplicate codec names. When a call in FreeSWITCH completes codec negotiation, the `codec_string` channel variable is set with the result of the negotiation. On a subsequent re-negotiation, if an SDP is offered that contains codecs with the same names but with different formats, there may be too many codec matches detected by FreeSWITCH leading to overflows of its internal arrays. By abusing this vulnerability, an attacker is able to corrupt stack of FreeSWITCH leading to an undefined behavior of the system or simply crash it. Version 1.10.10 contains a patch for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-15T19:34:32.429Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-gjj5-79p2-9g3q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-gjj5-79p2-9g3q"
},
{
"name": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.10",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.10"
}
],
"source": {
"advisory": "GHSA-gjj5-79p2-9g3q",
"discovery": "UNKNOWN"
},
"title": "FreeSWITCH allows authorized users to cause a denial of service attack by sending re-INVITE with SDP containing duplicate codec names"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-40019",
"datePublished": "2023-09-15T19:34:32.429Z",
"dateReserved": "2023-08-08T13:46:25.242Z",
"dateUpdated": "2024-09-25T18:24:36.310Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-40018 (GCVE-0-2023-40018)
Vulnerability from cvelistv5 – Published: 2023-09-15 19:32 – Updated: 2024-09-25 18:02
VLAI
Title
FreeSWITCH allows remote users to trigger out of bounds write by offering an ICE candidate with unknown component ID
Summary
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.10, FreeSWITCH allows remote users to trigger out of bounds write by offering an ICE candidate with unknown component ID. When an SDP is offered with any ICE candidates with an unknown component ID, FreeSWITCH will make an out of bounds write to its arrays. By abusing this vulnerability, an attacker is able to corrupt FreeSWITCH memory leading to an undefined behavior of the system or a crash of it. Version 1.10.10 contains a patch for this issue.
Severity
7.5 (High)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-787 - Out-of-bounds Write
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/signalwire/freeswitch/security… | x_refsource_CONFIRM |
| https://github.com/signalwire/freeswitch/releases… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| signalwire | freeswitch |
Affected:
< 1.10.10
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:24:54.689Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-7mwp-86fv-hcg3",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-7mwp-86fv-hcg3"
},
{
"name": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.10",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.10"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-40018",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-25T18:02:51.253210Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-25T18:02:59.227Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "freeswitch",
"vendor": "signalwire",
"versions": [
{
"status": "affected",
"version": "\u003c 1.10.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.10, FreeSWITCH allows remote users to trigger out of bounds write by offering an ICE candidate with unknown component ID. When an SDP is offered with any ICE candidates with an unknown component ID, FreeSWITCH will make an out of bounds write to its arrays. By abusing this vulnerability, an attacker is able to corrupt FreeSWITCH memory leading to an undefined behavior of the system or a crash of it. Version 1.10.10 contains a patch for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787: Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-15T19:32:19.207Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-7mwp-86fv-hcg3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/signalwire/freeswitch/security/advisories/GHSA-7mwp-86fv-hcg3"
},
{
"name": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.10",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.10"
}
],
"source": {
"advisory": "GHSA-7mwp-86fv-hcg3",
"discovery": "UNKNOWN"
},
"title": "FreeSWITCH allows remote users to trigger out of bounds write by offering an ICE candidate with unknown component ID"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-40018",
"datePublished": "2023-09-15T19:32:19.207Z",
"dateReserved": "2023-08-08T13:46:25.242Z",
"dateUpdated": "2024-09-25T18:02:59.227Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-32307 (GCVE-0-2023-32307)
Vulnerability from cvelistv5 – Published: 2023-05-26 22:11 – Updated: 2025-02-13 16:50
VLAI
Title
heap-over-flow and integer-overflow in sofia-sip
Summary
Sofia-SIP is an open-source SIP User-Agent library, compliant with the IETF RFC3261 specification.
Referring to [GHSA-8599-x7rq-fr54](https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-8599-x7rq-fr54), several other potential heap-over-flow and integer-overflow in stun_parse_attr_error_code and stun_parse_attr_uint32 were found because the lack of attributes length check when Sofia-SIP handles STUN packets. The previous patch of [GHSA-8599-x7rq-fr54](https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-8599-x7rq-fr54) fixed the vulnerability when attr_type did not match the enum value, but there are also vulnerabilities in the handling of other valid cases. The OOB read and integer-overflow made by attacker may lead to crash, high consumption of memory or even other more serious consequences. These issue have been addressed in version 1.13.15. Users are advised to upgrade.
Severity
7.5 (High)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| freeswitch | sofia-sip |
Affected:
< 1.13.15
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:10:24.454Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-rm4c-ccvf-ff9c",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-rm4c-ccvf-ff9c"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00002.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.debian.org/security/2023/dsa-5431"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OY66DOQ3B7GULJTI66X5HNX5FU3P65CX/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-32307",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-14T19:20:35.060813Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-14T19:20:38.299Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-rm4c-ccvf-ff9c"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "sofia-sip",
"vendor": "freeswitch",
"versions": [
{
"status": "affected",
"version": "\u003c 1.13.15"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sofia-SIP is an open-source SIP User-Agent library, compliant with the IETF RFC3261 specification.\nReferring to [GHSA-8599-x7rq-fr54](https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-8599-x7rq-fr54), several other potential heap-over-flow and integer-overflow in stun_parse_attr_error_code and stun_parse_attr_uint32 were found because the lack of attributes length check when Sofia-SIP handles STUN packets. The previous patch of [GHSA-8599-x7rq-fr54](https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-8599-x7rq-fr54) fixed the vulnerability when attr_type did not match the enum value, but there are also vulnerabilities in the handling of other valid cases. The OOB read and integer-overflow made by attacker may lead to crash, high consumption of memory or even other more serious consequences. These issue have been addressed in version 1.13.15. Users are advised to upgrade."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190: Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122: Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-27T03:06:35.254Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-rm4c-ccvf-ff9c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-rm4c-ccvf-ff9c"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00002.html"
},
{
"url": "https://www.debian.org/security/2023/dsa-5431"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OY66DOQ3B7GULJTI66X5HNX5FU3P65CX/"
}
],
"source": {
"advisory": "GHSA-rm4c-ccvf-ff9c",
"discovery": "UNKNOWN"
},
"title": "heap-over-flow and integer-overflow in sofia-sip"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-32307",
"datePublished": "2023-05-26T22:11:16.875Z",
"dateReserved": "2023-05-08T13:26:03.878Z",
"dateUpdated": "2025-02-13T16:50:31.155Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-22741 (GCVE-0-2023-22741)
Vulnerability from cvelistv5 – Published: 2023-01-19 21:20 – Updated: 2025-03-10 21:21
VLAI
Title
heap-over-flow in stun_parse_attribute in sofia-sip
Summary
Sofia-SIP is an open-source SIP User-Agent library, compliant with the IETF RFC3261 specification. In affected versions Sofia-SIP **lacks both message length and attributes length checks** when it handles STUN packets, leading to controllable heap-over-flow. For example, in stun_parse_attribute(), after we get the attribute's type and length value, the length will be used directly to copy from the heap, regardless of the message's left size. Since network users control the overflowed length, and the data is written to heap chunks later, attackers may achieve remote code execution by heap grooming or other exploitation methods. The bug was introduced 16 years ago in sofia-sip 1.12.4 (plus some patches through 12/21/2006) to in tree libs with git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@3774 d0543943-73ff-0310-b7d9-9358b9ac24b2. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity
9.8 (Critical)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/freeswitch/sofia-sip/security/… | x_refsource_CONFIRM |
| https://github.com/freeswitch/sofia-sip/commit/da… | x_refsource_MISC |
| https://www.debian.org/security/2023/dsa-5410 |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| freeswitch | sofia-sip |
Affected:
< 1.13.11
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:20:30.275Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-8599-x7rq-fr54",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-8599-x7rq-fr54"
},
{
"name": "https://github.com/freeswitch/sofia-sip/commit/da53e4fbcb138b080a75576dd49c1fff2ada2764",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/freeswitch/sofia-sip/commit/da53e4fbcb138b080a75576dd49c1fff2ada2764"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.debian.org/security/2023/dsa-5410"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-22741",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-10T21:02:31.088557Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-10T21:21:43.727Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "sofia-sip",
"vendor": "freeswitch",
"versions": [
{
"status": "affected",
"version": "\u003c 1.13.11"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sofia-SIP is an open-source SIP User-Agent library, compliant with the IETF RFC3261 specification. In affected versions Sofia-SIP **lacks both message length and attributes length checks** when it handles STUN packets, leading to controllable heap-over-flow. For example, in stun_parse_attribute(), after we get the attribute\u0027s type and length value, the length will be used directly to copy from the heap, regardless of the message\u0027s left size. Since network users control the overflowed length, and the data is written to heap chunks later, attackers may achieve remote code execution by heap grooming or other exploitation methods. The bug was introduced 16 years ago in sofia-sip 1.12.4 (plus some patches through 12/21/2006) to in tree libs with git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@3774 d0543943-73ff-0310-b7d9-9358b9ac24b2. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-120",
"description": "CWE-120: Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-24T20:06:39.210Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-8599-x7rq-fr54",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-8599-x7rq-fr54"
},
{
"name": "https://github.com/freeswitch/sofia-sip/commit/da53e4fbcb138b080a75576dd49c1fff2ada2764",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/freeswitch/sofia-sip/commit/da53e4fbcb138b080a75576dd49c1fff2ada2764"
},
{
"url": "https://www.debian.org/security/2023/dsa-5410"
}
],
"source": {
"advisory": "GHSA-8599-x7rq-fr54",
"discovery": "UNKNOWN"
},
"title": "heap-over-flow in stun_parse_attribute in sofia-sip"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-22741",
"datePublished": "2023-01-19T21:20:22.744Z",
"dateReserved": "2023-01-06T14:21:05.892Z",
"dateUpdated": "2025-03-10T21:21:43.727Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
VAR-202110-0919
Vulnerability from variot - Updated: 2023-12-18 12:16An issue was discovered in function sofia_handle_sip_i_notify in sofia.c in SignalWire freeswitch before 1.10.6, may allow attackers to view sensitive information due to an uninitialized value. SignalWire freeswitch Exists in a flaw in resource initialization.Information may be obtained. FreeSWITCH is a set of free and open source communication software developed by the individual developer Anthony Minesale in the United States. The software can be used to create audio, video and short message products and applications
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202110-0919",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "freeswitch",
"scope": "lt",
"trust": 1.0,
"vendor": "signalwire",
"version": "1.10.6"
},
{
"model": "freeswitch",
"scope": "eq",
"trust": 0.8,
"vendor": "freeswitch",
"version": null
},
{
"model": "freeswitch",
"scope": "eq",
"trust": 0.8,
"vendor": "freeswitch",
"version": "1.10.6"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-013920"
},
{
"db": "NVD",
"id": "CVE-2021-36513"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:signalwire:freeswitch:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "1.10.6",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2021-36513"
}
]
},
"cve": "CVE-2021-36513",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"integrityImpact": "NONE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 5.0,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2021-36513",
"impactScore": null,
"integrityImpact": "None",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "VHN-397762",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:P/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 7.5,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2021-36513",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2021-36513",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-202110-1263",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-397762",
"trust": 0.1,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2021-36513",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-397762"
},
{
"db": "VULMON",
"id": "CVE-2021-36513"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-013920"
},
{
"db": "NVD",
"id": "CVE-2021-36513"
},
{
"db": "CNNVD",
"id": "CNNVD-202110-1263"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "An issue was discovered in function sofia_handle_sip_i_notify in sofia.c in SignalWire freeswitch before 1.10.6, may allow attackers to view sensitive information due to an uninitialized value. SignalWire freeswitch Exists in a flaw in resource initialization.Information may be obtained. FreeSWITCH is a set of free and open source communication software developed by the individual developer Anthony Minesale in the United States. The software can be used to create audio, video and short message products and applications",
"sources": [
{
"db": "NVD",
"id": "CVE-2021-36513"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-013920"
},
{
"db": "VULHUB",
"id": "VHN-397762"
},
{
"db": "VULMON",
"id": "CVE-2021-36513"
}
],
"trust": 1.8
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2021-36513",
"trust": 3.4
},
{
"db": "JVNDB",
"id": "JVNDB-2021-013920",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-202110-1263",
"trust": 0.7
},
{
"db": "VULHUB",
"id": "VHN-397762",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2021-36513",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-397762"
},
{
"db": "VULMON",
"id": "CVE-2021-36513"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-013920"
},
{
"db": "NVD",
"id": "CVE-2021-36513"
},
{
"db": "CNNVD",
"id": "CNNVD-202110-1263"
}
]
},
"id": "VAR-202110-0919",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-397762"
}
],
"trust": 0.01
},
"last_update_date": "2023-12-18T12:16:16.368000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Usage-of-uninitialized\u00a0value\u00a0#1245 GitHub",
"trust": 0.8,
"url": "https://github.com/signalwire/freeswitch/issues/1245"
},
{
"title": "FreeSWITCH Security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=167098"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-013920"
},
{
"db": "CNNVD",
"id": "CNNVD-202110-1263"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-909",
"trust": 1.1
},
{
"problemtype": "Inadequate resource initialization (CWE-909) [NVD evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-397762"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-013920"
},
{
"db": "NVD",
"id": "CVE-2021-36513"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.6,
"url": "https://newreleases.io/project/github/signalwire/freeswitch/release/v1.10.6"
},
{
"trust": 1.8,
"url": "https://github.com/signalwire/freeswitch/releases/tag/v1.10.6"
},
{
"trust": 1.8,
"url": "https://github.com/signalwire/freeswitch/issues/1245"
},
{
"trust": 1.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-36513"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/909.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-397762"
},
{
"db": "VULMON",
"id": "CVE-2021-36513"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-013920"
},
{
"db": "NVD",
"id": "CVE-2021-36513"
},
{
"db": "CNNVD",
"id": "CNNVD-202110-1263"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-397762"
},
{
"db": "VULMON",
"id": "CVE-2021-36513"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-013920"
},
{
"db": "NVD",
"id": "CVE-2021-36513"
},
{
"db": "CNNVD",
"id": "CNNVD-202110-1263"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2021-10-18T00:00:00",
"db": "VULHUB",
"id": "VHN-397762"
},
{
"date": "2021-10-18T00:00:00",
"db": "VULMON",
"id": "CVE-2021-36513"
},
{
"date": "2022-09-29T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2021-013920"
},
{
"date": "2021-10-18T17:15:07.913000",
"db": "NVD",
"id": "CVE-2021-36513"
},
{
"date": "2021-10-18T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202110-1263"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2021-10-22T00:00:00",
"db": "VULHUB",
"id": "VHN-397762"
},
{
"date": "2021-10-22T00:00:00",
"db": "VULMON",
"id": "CVE-2021-36513"
},
{
"date": "2022-09-29T07:34:00",
"db": "JVNDB",
"id": "JVNDB-2021-013920"
},
{
"date": "2021-10-22T15:11:45.757000",
"db": "NVD",
"id": "CVE-2021-36513"
},
{
"date": "2021-10-26T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202110-1263"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202110-1263"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SignalWire\u00a0freeswitch\u00a0 Vulnerability in resource initialization deficiency in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-013920"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "other",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202110-1263"
}
],
"trust": 0.6
}
}