{"id":"CVE-2020-28242","details":"An issue was discovered in Asterisk Open Source 13.x before 13.37.1, 16.x before 16.14.1, 17.x before 17.8.1, and 18.x before 18.0.1 and Certified Asterisk before 16.8-cert5. If Asterisk is challenged on an outbound INVITE and the nonce is changed in each response, Asterisk will continually send INVITEs in a loop. This causes Asterisk to consume more and more memory since the transaction will never terminate (even if the call is hung up), ultimately leading to a restart or shutdown of Asterisk. Outbound authentication must be configured on the endpoint for this to occur.","modified":"2026-04-10T04:19:06.256621Z","published":"2020-11-06T06:15:11.930Z","references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QUS54QTQCYKR36EIULYD544GXDA644HB/"},{"type":"ADVISORY","url":"http://downloads.asterisk.org/pub/security/AST-2020-002.html"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2022/04/msg00001.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/asterisk/asterisk","events":[{"introduced":"0"},{"last_affected":"d436f568583184a13aa46349af5a3f0907087b44"},{"introduced":"85335355efb2d7914a1fe20ed31afcef15fd210c"},{"fixed":"57693c3d5059c69222378b798cacc4685b0985e6"},{"introduced":"a65908f83e2f17a3aca7eb39c8e06045aca02674"},{"fixed":"372fccb6b26c38933f6df083f387f6c21865e017"},{"introduced":"5ffe12b6ef30cd503f85d75745fd8d9c2cfafe47"},{"fixed":"587c70514effa9ccfadd1ffb8ee7af041d733e0a"},{"introduced":"2c1bba3cbec008c8ce35c78a2c79f9f207ea58bc"},{"fixed":"3c299d2aa03a2f1f2b6d93ab5661eac900308118"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"16.8.0"},{"introduced":"13.0"},{"fixed":"13.37.1"},{"introduced":"16.0"},{"fixed":"16.14.1"},{"introduced":"17.0"},{"fixed":"17.8.1"},{"introduced":"18.0"},{"fixed":"18.0.1"}]}}],"versions":["13.37.0","13.37.0-rc1","16.14.0","16.14.0-rc1","16.8.0","16.8.0-rc1","16.8.0-rc2","17.8.0","17.8.0-rc1","18.0.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-28242.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"33"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}