{"id":"CVE-2024-35190","summary":"Asterisk' res_pjsip_endpoint_identifier_ip: wrongly matches ALL unauthorized SIP requests","details":"Asterisk is an open source private branch exchange and telephony toolkit. After upgrade to 18.23.0, ALL unauthorized SIP requests are identified as PJSIP Endpoint of local asterisk server. This vulnerability is fixed in 18.23.1, 20.8.1, and 21.3.1.\n","aliases":["GHSA-qqxj-v78h-hrf9"],"modified":"2026-04-12T07:22:45.581220Z","published":"2024-05-17T16:55:41.346Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/35xxx/CVE-2024-35190.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-303","CWE-480","CWE-670"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/35xxx/CVE-2024-35190.json"},{"type":"ADVISORY","url":"https://github.com/asterisk/asterisk/security/advisories/GHSA-qqxj-v78h-hrf9"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-35190"},{"type":"FIX","url":"https://github.com/asterisk/asterisk/commit/85241bd22936cc15760fd1f65d16c98be7aeaf6d"},{"type":"FIX","url":"https://github.com/asterisk/asterisk/pull/600"},{"type":"FIX","url":"https://github.com/asterisk/asterisk/pull/602"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/asterisk/asterisk","events":[{"introduced":"0"},{"fixed":"85241bd22936cc15760fd1f65d16c98be7aeaf6d"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-35190.json","vanir_signatures_modified":"2026-04-12T07:22:45Z","vanir_signatures":[{"source":"https://github.com/asterisk/asterisk/commit/85241bd22936cc15760fd1f65d16c98be7aeaf6d","signature_type":"Function","signature_version":"v1","id":"CVE-2024-35190-00f2e926","deprecated":false,"digest":{"function_hash":"186040774487265813882168276571403515607","length":316},"target":{"file":"res/res_pjsip_endpoint_identifier_ip.c","function":"unload_module"}},{"source":"https://github.com/asterisk/asterisk/commit/85241bd22936cc15760fd1f65d16c98be7aeaf6d","signature_type":"Line","signature_version":"v1","id":"CVE-2024-35190-4c642da0","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["316068877843558720322447803181969697209","24363393891510760272881567454949887470","116385994485311852395211686335675667931","116475400232439926964756878041978118170","59262124277762815660671945266482817937","86020723580676206030174175069459324150","258489699813553095652134165813132579739","227158266218398746040088326247062459290","201418472948700612655618698118243671350","169573822859822152697827175686268318622","181054091205835882700229120493052812430","297992395767516972434847103679942182244","252570076256300598715471767730093170783","77937325092566174822057815565088072163","268338876468931478069550215222042698396","191092726740188860237720645373840779959","289680352233861118834615140440355959147","35448438237468399358284465568118588920","316797850535701355148941405508356901398","251657596142003506609282120358464377511","23271141862415058611990160650796679670","132188329735335332302643793759707500318","56320015019173922883896795831974993652","214475030603751699029276710261758023133","292016216794036098911871383732252102980","338936959328812161404769508076853437998","4483476893888470877506639775579360192","148258786900315181831009753934931867223","238822564484973746417889136885389207148","163958967593096937558756540119238716280","102505604993946320028684935640062250100","8837931582297323787055575043359911944","262186848167469983456804158513858534243","216537995415204930211008750750545031610","91089688701113913242694810709538781250","321132894119870166114646519175565572506","78953190536256790579731675276236364358","338236110181405163671966565755676412600","29622839391287829418056463359579233809","232690968198551779773694905569280595990","287205022942542993883935651821776468635","6459907094327208148159793537393989080","101070599504055740541336859370508873314","213219525068764477108989857179348100862","53464793480304980883289150264313196007","217956916725611273480783116724546719736","326167009264428715531355865427976777652","283937541192179996776879043243472078329","145877491359131795674397935342828929178","338877992803043273561640145413749191556","40052999491592211049099703165540963138","41835047428680360072093448485337138020","88749702317421840390971293705035067358","90940031829345406852531635561006390803","62227934130087078437203169448875518670","219203436113241204676539953833241771025","297187318587146326299984136898689072893","150761729681328355237439482495062311764","19989317005268147474885548640479366208","117027636493829203862492015594502394954","108235366817949171691466891248443097733","301356437015347701879870342664218770961","338399924937297009145037035412134922044","220877224023812559606396878342776768977","81250532132273304275117596933613485928","215657568373332345596791049107171954138","290797338478075321543461471626521310948","246722197625490414893005787893097323937","272211008383739235888721181501547976232","294825402045477975415957347369698076372","30584587213142902972153208626010345669","145803864506505188249154510883819478089","320106371965746591930908061638708537488","310624652258493767071903844596688749183","278701548012730407873090948300155848102","227351610353502462583789068688993355546","156564408030247130473154742181539447752","108825291295630904533413496585312383529","178335852612254081388718469971254972327","83046076267809893392831635509606375854","94396692179072254055384525805500741717","15730535258587107379742048273534390702","121913009338681586960977186960106604712","185024937152924607534144347947194435189","337434101207553027096600520397163108125","158331078558731492611314236672836947644","305602893930793756099594594000479209514","320949798398556517163523476091891825815","68743784707068436353337488943565634423","12048663802389623977220651746003061625","164694516702113073038996328125136393697","114417846371837983764536993803390062515","5812137098099445686080783943887371479","150033906469982459261872050851787658965","258548615024387829293683310484905485227","204018832632400841861258708140528684481","248572754098703006722950654706334372684","142138015864337769731445680033802671371","158009349357521537562852777923744223439","35613722366843680972105411975614558874","276855464920930859085198696887123085834","317820474118993922966260030668004035687","271646418121686994532132302580734689640","155511024882222776581448553534313161838","265157485631902597049863466887376363145","218219322288610576459139968103584746395","237430552139785141970611755118097366665","142805152630922210827408704631109208213","130453850422622913889996671139679731574","21896174910616056784010497304176459723"]},"target":{"file":"res/res_pjsip_endpoint_identifier_ip.c"}},{"source":"https://github.com/asterisk/asterisk/commit/85241bd22936cc15760fd1f65d16c98be7aeaf6d","signature_type":"Function","signature_version":"v1","id":"CVE-2024-35190-664d94eb","deprecated":false,"digest":{"function_hash":"49907753423162129281696117219764624818","length":668},"target":{"file":"res/res_pjsip/pjsip_configuration.c","function":"sip_endpoint_identifier_str2type"}},{"source":"https://github.com/asterisk/asterisk/commit/85241bd22936cc15760fd1f65d16c98be7aeaf6d","signature_type":"Line","signature_version":"v1","id":"CVE-2024-35190-6c2b14fd","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["132138607514681710505850682880712227515","294371235257432471427347120213446255368","27085527213542168052355838122394362394","72409703556799408462732007193965859469","320319677431383507065990283728179652759","315611593996080709077587458976533891638","49676520361783032430123591008046979927","20812129828567733327203266977001575942","108700490105913159305267531206244171280","215532450867433423073378505996038820649","229879799361846519626532037928516467658"]},"target":{"file":"res/res_pjsip/pjsip_configuration.c"}},{"source":"https://github.com/asterisk/asterisk/commit/85241bd22936cc15760fd1f65d16c98be7aeaf6d","signature_type":"Function","signature_version":"v1","id":"CVE-2024-35190-85402664","deprecated":false,"digest":{"function_hash":"233397609238933880777129633546512282032","length":359},"target":{"file":"res/res_pjsip_endpoint_identifier_ip.c","function":"ip_identify"}},{"source":"https://github.com/asterisk/asterisk/commit/85241bd22936cc15760fd1f65d16c98be7aeaf6d","signature_type":"Function","signature_version":"v1","id":"CVE-2024-35190-9527a3ca","deprecated":false,"digest":{"function_hash":"10850304549588860040133648342332018537","length":2151},"target":{"file":"res/res_pjsip_endpoint_identifier_ip.c","function":"load_module"}},{"source":"https://github.com/asterisk/asterisk/commit/85241bd22936cc15760fd1f65d16c98be7aeaf6d","signature_type":"Function","signature_version":"v1","id":"CVE-2024-35190-9995ed2c","deprecated":false,"digest":{"function_hash":"321117790809999770673419458671262935675","length":767},"target":{"file":"res/res_pjsip_endpoint_identifier_ip.c","function":"ip_identify_match_check"}},{"source":"https://github.com/asterisk/asterisk/commit/85241bd22936cc15760fd1f65d16c98be7aeaf6d","signature_type":"Function","signature_version":"v1","id":"CVE-2024-35190-a47d5442","deprecated":false,"digest":{"function_hash":"191539497569206919396315680023280614976","length":1601},"target":{"file":"res/res_pjsip_endpoint_identifier_ip.c","function":"cli_print_body"}},{"source":"https://github.com/asterisk/asterisk/commit/85241bd22936cc15760fd1f65d16c98be7aeaf6d","signature_type":"Function","signature_version":"v1","id":"CVE-2024-35190-a5c1856b","deprecated":false,"digest":{"function_hash":"128238337060452774239324523284725906637","length":551},"target":{"file":"res/res_pjsip/pjsip_configuration.c","function":"sip_endpoint_identifier_type2str"}},{"source":"https://github.com/asterisk/asterisk/commit/85241bd22936cc15760fd1f65d16c98be7aeaf6d","signature_type":"Line","signature_version":"v1","id":"CVE-2024-35190-c46abcb5","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["48154925034208880326614317636830997300","190945977318940285188391595769211809282","55176213472902597442990859653438226722","220410033346188039470675630840798263936"]},"target":{"file":"include/asterisk/res_pjsip.h"}},{"source":"https://github.com/asterisk/asterisk/commit/85241bd22936cc15760fd1f65d16c98be7aeaf6d","signature_type":"Function","signature_version":"v1","id":"CVE-2024-35190-df48beef","deprecated":false,"digest":{"function_hash":"197020072731638583681039883675953480288","length":3257},"target":{"file":"res/res_pjsip_endpoint_identifier_ip.c","function":"ip_identify_apply"}},{"source":"https://github.com/asterisk/asterisk/commit/85241bd22936cc15760fd1f65d16c98be7aeaf6d","signature_type":"Function","signature_version":"v1","id":"CVE-2024-35190-f85f22b2","deprecated":false,"digest":{"function_hash":"125748909868961047905257998993619938692","length":1031},"target":{"file":"res/res_pjsip_endpoint_identifier_ip.c","function":"transport_identify"}}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N"}]}