Asterisk is an open source private branch exchange and telephony toolkit. In Asterisk versions 18.20.0 and prior, 20.5.0 and prior, and 21.0.0; as well as ceritifed-asterisk 18.9-cert5 and prior, the 'update' functionality of the PJSIP_HEADER dialplan function can exceed the available buffer space for storing the new value of a header. By doing so this can overwrite memory or cause a crash. This is not externally exploitable, unless dialplan is explicitly written to update a header based on data from an outside source. If the 'update' functionality is not used the vulnerability does not occur. A patch is available at commit a1ca0268254374b515fa5992f01340f7717113fa.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/37xxx/CVE-2023-37457.json",
"cna_assigner": "GitHub_M",
"cwe_ids": [
"CWE-120"
]
}{
"source": [
"CPE_RANGE",
"CPE_STRING",
"REFERENCES"
],
"cpe": [
"cpe:2.3:a:digium:asterisk:*:*:*:*:*:*:*:*",
"cpe:2.3:a:digium:asterisk:21.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sangoma:certified_asterisk:13.13.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sangoma:certified_asterisk:13.13.0:rc1:*:*:*:*:*:*",
"cpe:2.3:a:sangoma:certified_asterisk:13.13.0:rc2:*:*:*:*:*:*",
"cpe:2.3:a:sangoma:certified_asterisk:16.8.0:-:*:*:*:*:*:*",
"cpe:2.3:a:sangoma:certified_asterisk:18.9:cert1:*:*:*:*:*:*",
"cpe:2.3:a:sangoma:certified_asterisk:18.9:cert2:*:*:*:*:*:*",
"cpe:2.3:a:sangoma:certified_asterisk:18.9:cert3:*:*:*:*:*:*",
"cpe:2.3:a:sangoma:certified_asterisk:18.9:cert4:*:*:*:*:*:*",
"cpe:2.3:a:sangoma:certified_asterisk:18.9:cert5:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "0"
},
{
"last_affected": "18.20.0"
},
{
"introduced": "19.0.0"
},
{
"last_affected": "20.5.0"
},
{
"introduced": "21.0.0"
},
{
"last_affected": "21.0.0"
},
{
"introduced": "13.13.0"
},
{
"last_affected": "13.13.0"
},
{
"introduced": "13.13.0-rc1"
},
{
"last_affected": "13.13.0-rc1"
},
{
"introduced": "13.13.0-rc2"
},
{
"last_affected": "13.13.0-rc2"
},
{
"introduced": "16.8.0-NA"
},
{
"last_affected": "16.8.0-NA"
},
{
"introduced": "18.9-cert1"
},
{
"last_affected": "18.9-cert1"
},
{
"introduced": "18.9-cert2"
},
{
"last_affected": "18.9-cert2"
},
{
"introduced": "18.9-cert3"
},
{
"last_affected": "18.9-cert3"
},
{
"introduced": "18.9-cert4"
},
{
"last_affected": "18.9-cert4"
},
{
"introduced": "18.9-cert5"
},
{
"last_affected": "18.9-cert5"
}
]
}"2026-07-08T17:57:16Z"
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-37457.json"
[
{
"id": "CVE-2023-37457-d5969b49",
"digest": {
"line_hashes": [
"159548957906824277854538295288850676053",
"239929051654971719448622866075717330742",
"327544480914766547304774939153046282095",
"22037373518915781682818387149426104403",
"52582478101052646613052143770202268734",
"13260270649188225194790817830413265206",
"155712923347818368736013152122905932088",
"122054581060142298997311705906553735862"
],
"threshold": 0.9
},
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/asterisk/asterisk/commit/a1ca0268254374b515fa5992f01340f7717113fa",
"deprecated": false,
"target": {
"file": "res/res_pjsip_header_funcs.c"
}
},
{
"id": "CVE-2023-37457-f3766f08",
"digest": {
"function_hash": "35050234152473757146456454412151458523",
"length": 683.0
},
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/asterisk/asterisk/commit/a1ca0268254374b515fa5992f01340f7717113fa",
"deprecated": false,
"target": {
"function": "update_header",
"file": "res/res_pjsip_header_funcs.c"
}
}
]