CVE-2017-14098

Name: CVE-2017-14098
Creator: NVD / NIST
Published: 2017-09-02T16:29:00.24+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 50.05%

Last modified Jun 17, 2026

CVE-2017-14098 is a vulnerability of currently unknown severity. In the pjsip channel driver (res_pjsip) in Asterisk 13.x before 13.17.1 and 14.x before 14.6.1, a carefully crafted tel URI in a From, To, or Contact header could cause Asterisk to crash.. EPSS estimates a 50.05% chance of exploitation in the next 30 days.

Description

In the pjsip channel driver (res_pjsip) in Asterisk 13.x before 13.17.1 and 14.x before 14.6.1, a carefully crafted tel URI in a From, To, or Contact header could cause Asterisk to crash.

Metrics

EPSS Probability

50.05%

98.8th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-20

Affected Software

Vendor	Product	Versions	Update
Digium	Asterisk	13.0.0	—
Digium	Asterisk	13.0.1	—
Digium	Asterisk	13.0.2	—
Digium	Asterisk	13.1.0	—
Digium	Asterisk	13.1.1	—
Digium	Asterisk	13.2.0	—
Digium	Asterisk	13.2.1	—
Digium	Asterisk	13.3.0	Rc1
Digium	Asterisk	13.3.2	—
Digium	Asterisk	13.4.0	—
Digium	Asterisk	13.5.0	—
Digium	Asterisk	13.6.0	Rc1
Digium	Asterisk	13.7.0	Rc1
Digium	Asterisk	13.7.1	—
Digium	Asterisk	13.7.2	—
Digium	Asterisk	13.8.0	—
Digium	Asterisk	13.8.1	—
Digium	Asterisk	13.8.2	—
Digium	Asterisk	13.9.0	—
Digium	Asterisk	13.9.1	—
Digium	Asterisk	13.10.0	—
Digium	Asterisk	13.11.0	—
Digium	Asterisk	13.11.1	—
Digium	Asterisk	13.11.2	—
Digium	Asterisk	13.12	—
Digium	Asterisk	13.12.0	—
Digium	Asterisk	13.12.1	—
Digium	Asterisk	13.12.2	—
Digium	Asterisk	13.13	—
Digium	Asterisk	13.13.0	—
Digium	Asterisk	13.13.1	—
Digium	Asterisk	13.14.0	—
Digium	Asterisk	13.14.1	—
Digium	Asterisk	13.15.0	—
Digium	Asterisk	13.15.1	—
Digium	Asterisk	13.16.0	—
Digium	Asterisk	13.17.0	—
Digium	Asterisk	14.0	—
Digium	Asterisk	14.0.0	—
Digium	Asterisk	14.0.1	—
Digium	Asterisk	14.0.2	—
Digium	Asterisk	14.1	—
Digium	Asterisk	14.01	—
Digium	Asterisk	14.1.0	—
Digium	Asterisk	14.1.1	—
Digium	Asterisk	14.1.2	—
Digium	Asterisk	14.02	—
Digium	Asterisk	14.2	—
Digium	Asterisk	14.2.0	—
Digium	Asterisk	14.2.1	—

Showing 50 of 56 affected configurations. See NVD for the full list.

References

http://downloads.asterisk.org/pub/security/AST-2017-007.htmlPatch, Vendor Advisory
http://www.securityfocus.com/bid/100583Third Party Advisory, VDB Entry
http://www.securitytracker.com/id/1039253Third Party Advisory, VDB Entry
https://bugs.debian.org/873909Issue Tracking, Patch, Third Party Advisory
https://issues.asterisk.org/jira/browse/ASTERISK-27152Issue Tracking, Vendor Advisory
http://downloads.asterisk.org/pub/security/AST-2017-007.htmlPatch, Vendor Advisory
http://www.securityfocus.com/bid/100583Third Party Advisory, VDB Entry
http://www.securitytracker.com/id/1039253Third Party Advisory, VDB Entry
https://bugs.debian.org/873909Issue Tracking, Patch, Third Party Advisory
https://issues.asterisk.org/jira/browse/ASTERISK-27152Issue Tracking, Vendor Advisory

Timeline

Published: Sep 2, 2017
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2017-14098?

In the pjsip channel driver (res_pjsip) in Asterisk 13.x before 13.17.1 and 14.x before 14.6.1, a carefully crafted tel URI in a From, To, or Contact header could cause Asterisk to crash.

How severe is CVE-2017-14098?

Severity scoring for CVE-2017-14098 is pending analysis. The EPSS model estimates a 50.05% probability of exploitation in the next 30 days.

How do I fix CVE-2017-14098?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2017-14098?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST