CVE-2008-1289

Exp

Multiple buffer overflows in Asterisk Open Source 1.4.x before 1.4.18.1 and 1.4.19-rc3, Open Source 1.6.x before 1.6.0-beta6, Business Edition C.x.x before C.1.6.1, AsteriskNOW 1.0.x before 1.0.2, Appliance Developer Kit before 1.4 revision 109386, and s800i 1.1.x before 1.1.0.2 allow remote attackers to (1) write a zero to an arbitrary memory location via a large RTP payload number, related to the ast_rtp_unset_m_type function in main/rtp.c; or (2) write certain integers to an arbitrary memory location via a large number of RTP payloads, related to the process_sdp function in channels/chan_sip.c.

Published: 2008-03-24 Last update: 2026-04-23 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2008-1289 is rated High Exploit Risk (73.4/100): CVSS High severity, with high exploitation likelihood (EPSS 11.52%, 95th percentile). 3 public exploit reference(s) are indexed (Exploit-DB). Public exploits are available—assess exposure, apply mitigations, and prioritize patching.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Public exploit references (Exploit-DB) for CVE-2008-1289

EDB-ID Source Kind Published Link
31440 exploit_db edb 2008-03-18 Exploit-DB ↗
nvd_ref exploit_tag Exploit-DB ↗
nvd_ref exploit_tag Exploit-DB ↗

Exploit prediction scoring system (EPSS) score for CVE-2008-1289

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 24.95% 11.52% -13.43%
2 2026-01-11 28.37% 24.95% -3.41%
3 2025-10-06 28.37%

Full EPSS history (14 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2008-1289

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
7.5 2.0 HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:L)
Exploitation conditions are straightforward and predictable.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:P)
Partial confidentiality impact.
Integrity impact (I:P)
Partial integrity impact.
Availability impact (A:P)
Partial availability impact.
 10.0 6.4 [email protected]

Weakness enumeration for CVE-2008-1289

OS Trackers for CVE-2008-1289

vendor priority summary link
debian medium CVE-2008-1289 medium priority: Debian including 1 source packages (asterisk), 2 status rows across 2 suites (bullseye, sid): resolved 2. https://security-tracker.debian.org/tracker/CVE-2008-1289
redhat https://access.redhat.com/security/cve/CVE-2008-1289
ubuntu medium CVE-2008-1289 medium priority: Ubuntu including 1 source packages (asterisk), 7 status rows across 7 suites (dapper, edgy, feisty, gutsy, hardy, intrepid, upstream): not-affected 4, released 2, ignored 1. https://ubuntu.com/security/CVE-2008-1289

Affected software / configurations for CVE-2008-1289

Vendor Product Version Raw CPE
asterisk asterisk_appliance_developer_kit 1.4 cpe:2.3:a:asterisk:asterisk_appliance_developer_kit:1.4:*:*:*:*:*:*:*
asterisk asterisk_business_edition <= c.1.0-beta8 cpe:2.3:a:asterisk:asterisk_business_edition:*:*:*:*:*:*:*:*
asterisk asterisk_business_edition <= c.1.0beta7 cpe:2.3:a:asterisk:asterisk_business_edition:*:*:*:*:*:*:*:*
asterisk asterisknow <= 1.0.1 cpe:2.3:a:asterisk:asterisknow:*:*:*:*:*:*:*:*
asterisk open_source <= 1.4.18 cpe:2.3:a:asterisk:open_source:*:*:*:*:*:*:*:*
asterisk open_source <= 1.4.19 cpe:2.3:a:asterisk:open_source:*:rc-2:*:*:*:*:*:*
asterisk open_source <= 1.6.0_beta5 cpe:2.3:a:asterisk:open_source:*:*:*:*:*:*:*:*
asterisk s800i <= 1.1.0.1 cpe:2.3:a:asterisk:s800i:*:*:*:*:*:*:*:*

References for CVE-2008-1289

cvelogic Threat Intelligence