{"id":"CVE-2018-12227","details":"An issue was discovered in Asterisk Open Source 13.x before 13.21.1, 14.x before 14.7.7, and 15.x before 15.4.1 and Certified Asterisk 13.18-cert before 13.18-cert4 and 13.21-cert before 13.21-cert2. When endpoint specific ACL rules block a SIP request, they respond with a 403 forbidden. However, if an endpoint is not identified, then a 401 unauthorized response is sent. This vulnerability just discloses which requests hit a defined endpoint. The ACL rules cannot be bypassed to gain access to the disclosed endpoints.","modified":"2026-04-10T04:04:46.532868Z","published":"2018-06-12T04:29:00.220Z","references":[{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/201811-11"},{"type":"ADVISORY","url":"https://www.debian.org/security/2018/dsa-4320"},{"type":"ADVISORY","url":"http://downloads.asterisk.org/pub/security/AST-2018-008.html"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/104455"},{"type":"FIX","url":"https://issues.asterisk.org/jira/browse/ASTERISK-27818"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/asterisk/asterisk","events":[{"introduced":"85335355efb2d7914a1fe20ed31afcef15fd210c"},{"fixed":"d661052e6d2eddae58bec5a04229c105d11e18f4"},{"introduced":"0"},{"fixed":"fdaecead781e4216a68c672ad0864ca895a47141"},{"introduced":"d4cc63728def7ca06ad3f70547de87bc5c9ef7c0"},{"fixed":"97b17a97812a5b3f30dba94cc7b3b3a2e81473e5"},{"introduced":"0"},{"last_affected":"b7607c41e4825490ffea9d09c0b3b8f9d65f87c0"},{"introduced":"0"},{"last_affected":"9f9c03d928110b9636506f6bc7a8f88c5c315a71"},{"introduced":"0"},{"last_affected":"eff7fd8517df53cc2e5b01f0c7beb1c721a8796b"},{"introduced":"0"},{"last_affected":"d661052e6d2eddae58bec5a04229c105d11e18f4"}],"database_specific":{"versions":[{"introduced":"13.0.0"},{"fixed":"13.21.1"},{"introduced":"0"},{"fixed":"14.7.7"},{"introduced":"15.0.0"},{"fixed":"15.4.1"},{"introduced":"0"},{"last_affected":"13.18-cert1"},{"introduced":"0"},{"last_affected":"13.18-cert2"},{"introduced":"0"},{"last_affected":"13.18-cert3"},{"introduced":"0"},{"last_affected":"13.21-cert1"}]}}],"versions":["13.18.0","13.18.0-rc1","13.18.0-rc2","13.21.0-rc1","14.7.0","14.7.0-rc1","14.7.0-rc2","14.7.1","14.7.2","14.7.3","14.7.4","14.7.5","14.7.6","15.4.0","15.4.0-rc1","certified/13.18-cert1","certified/13.18-cert1-rc1","certified/13.18-cert1-rc2","certified/13.18-cert1-rc3","certified/13.18-cert2","certified/13.18-cert3","certified/13.21-cert1"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"9.0"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-12227.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}]}