CVE-2009-3727 [Medium] | Information Disclosure in Asterisk

Asterisk Open Source 1.2.x before 1.2.35, 1.4.x before 1.4.26.3, 1.6.0.x before 1.6.0.17, and 1.6.1.x before 1.6.1.9; Business Edition A.x.x, B.x.x before B.2.5.12, C.2.x.x before C.2.4.5, and C.3.x.x before C.3.2.2; AsteriskNOW 1.5; and s800i 1.3.x before 1.3.0.5 generate different error messages depending on whether a SIP username is valid, which allows remote attackers to enumerate valid usernames via multiple crafted REGISTER messages with inconsistent usernames in the URI in the To header and the Digest in the Authorization header.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-06-15	0.72%	4.20%	+3.48%
2	2025-03-30	7.17%	0.72%	-6.45%
3	2025-03-29	—	7.17%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-06-15

0.72%

4.20%

+3.48%

2025-03-30

7.17%

0.72%

-6.45%

2025-03-29

—

7.17%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
5.0	2.0	MEDIUM	`AV:N/AC:L/Au:N/C:P/I:N/A:N` Click to expand Access vector (AV:N) Can be exploited remotely over network reachability. Access complexity (AC:L) Exploitation conditions are straightforward and predictable. Authentication (AU:N) No authentication is required. Confidentiality impact (C:P) Partial confidentiality impact. Integrity impact (I:N) No integrity impact. Availability impact (A:N) No availability impact.	10.0	2.9	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

5.0

2.0

MEDIUM

AV:N/AC:L/Au:N/C:P/I:N/A:N Click to expand

Access vector (AV:N): Can be exploited remotely over network reachability.
Access complexity (AC:L): Exploitation conditions are straightforward and predictable.
Authentication (AU:N): No authentication is required.
Confidentiality impact (C:P): Partial confidentiality impact.
Integrity impact (I:N): No integrity impact.
Availability impact (A:N): No availability impact.

10.0

2.9

[email protected]

OS Trackers for CVE-2009-3727

vendor	priority	summary	link
`debian`	not yet assigned	CVE-2009-3727 not yet assigned priority: Debian including 1 source packages (asterisk), 2 status rows across 2 suites (bullseye, sid): resolved 2.	https://security-tracker.debian.org/tracker/CVE-2009-3727
`gentoo`	normal	CVE-2009-3727: 1 GLSA(s) (201006-20), 1 atom(s) (net-misc/asterisk); latest impact normal.	https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2009-3727
`redhat`	medium	—	https://access.redhat.com/security/cve/CVE-2009-3727
`ubuntu`	low	CVE-2009-3727 low priority: Ubuntu including 1 source packages (asterisk), 9 status rows across 9 suites (dapper, hardy, intrepid, jaunty, karmic, lucid, maverick, natty, upstream): ignored 4, not-affected 3, released 2.	https://ubuntu.com/security/CVE-2009-3727

Affected software / configurations for CVE-2009-3727

Vendor	Product	Version	Raw CPE
digium	asterisk	1.2.0	cpe:2.3:a:digium:asterisk:1.2.0:::::::*
digium	asterisk	1.2.0	cpe:2.3:a:digium:asterisk:1.2.0:beta1::::::
digium	asterisk	1.2.0	cpe:2.3:a:digium:asterisk:1.2.0:beta2::::::
digium	asterisk	1.2.0	cpe:2.3:a:digium:asterisk:1.2.0:rc1::::::
digium	asterisk	1.2.0	cpe:2.3:a:digium:asterisk:1.2.0:rc2::::::
digium	asterisk	1.2.1	cpe:2.3:a:digium:asterisk:1.2.1:::::::*
digium	asterisk	1.2.2	cpe:2.3:a:digium:asterisk:1.2.2:::::::*
digium	asterisk	1.2.2	cpe:2.3:a:digium:asterisk:1.2.2:netsec::::::
digium	asterisk	1.2.3	cpe:2.3:a:digium:asterisk:1.2.3:::::::*
digium	asterisk	1.2.3	cpe:2.3:a:digium:asterisk:1.2.3:netsec::::::
digium	asterisk	1.2.10	cpe:2.3:a:digium:asterisk:1.2.10:::::::*
digium	asterisk	1.2.10	cpe:2.3:a:digium:asterisk:1.2.10:netsec::::::
digium	asterisk	1.2.11	cpe:2.3:a:digium:asterisk:1.2.11:::::::*
digium	asterisk	1.2.11	cpe:2.3:a:digium:asterisk:1.2.11:netsec::::::
digium	asterisk	1.2.12	cpe:2.3:a:digium:asterisk:1.2.12:::::::*
digium	asterisk	1.2.12	cpe:2.3:a:digium:asterisk:1.2.12:netsec::::::
digium	asterisk	1.2.12.1	cpe:2.3:a:digium:asterisk:1.2.12.1:::::::*
digium	asterisk	1.2.12.1	cpe:2.3:a:digium:asterisk:1.2.12.1:netsec::::::
digium	asterisk	1.2.13	cpe:2.3:a:digium:asterisk:1.2.13:::::::*
digium	asterisk	1.2.13	cpe:2.3:a:digium:asterisk:1.2.13:netsec::::::
digium	asterisk	1.2.14	cpe:2.3:a:digium:asterisk:1.2.14:::::::*
digium	asterisk	1.2.15	cpe:2.3:a:digium:asterisk:1.2.15:::::::*
digium	asterisk	1.2.15	cpe:2.3:a:digium:asterisk:1.2.15:netsec::::::
digium	asterisk	1.2.16	cpe:2.3:a:digium:asterisk:1.2.16:::::::*
digium	asterisk	1.2.16	cpe:2.3:a:digium:asterisk:1.2.16:netsec::::::
digium	asterisk	1.2.17	cpe:2.3:a:digium:asterisk:1.2.17:::::::*
digium	asterisk	1.2.17	cpe:2.3:a:digium:asterisk:1.2.17:netsec::::::
digium	asterisk	1.2.18	cpe:2.3:a:digium:asterisk:1.2.18:::::::*
digium	asterisk	1.2.18	cpe:2.3:a:digium:asterisk:1.2.18:netsec::::::
digium	asterisk	1.2.19	cpe:2.3:a:digium:asterisk:1.2.19:::::::*
digium	asterisk	1.2.19	cpe:2.3:a:digium:asterisk:1.2.19:netsec::::::
digium	asterisk	1.2.20	cpe:2.3:a:digium:asterisk:1.2.20:::::::*
digium	asterisk	1.2.20	cpe:2.3:a:digium:asterisk:1.2.20:netsec::::::
digium	asterisk	1.2.21	cpe:2.3:a:digium:asterisk:1.2.21:::::::*
digium	asterisk	1.2.21	cpe:2.3:a:digium:asterisk:1.2.21:netsec::::::
digium	asterisk	1.2.21.1	cpe:2.3:a:digium:asterisk:1.2.21.1:::::::*
digium	asterisk	1.2.21.1	cpe:2.3:a:digium:asterisk:1.2.21.1:netsec::::::
digium	asterisk	1.2.22	cpe:2.3:a:digium:asterisk:1.2.22:::::::*
digium	asterisk	1.2.22	cpe:2.3:a:digium:asterisk:1.2.22:netsec::::::
digium	asterisk	1.2.23	cpe:2.3:a:digium:asterisk:1.2.23:::::::*
digium	asterisk	1.2.23	cpe:2.3:a:digium:asterisk:1.2.23:netsec::::::
digium	asterisk	1.2.24	cpe:2.3:a:digium:asterisk:1.2.24:::::::*
digium	asterisk	1.2.24	cpe:2.3:a:digium:asterisk:1.2.24:netsec::::::
digium	asterisk	1.2.25	cpe:2.3:a:digium:asterisk:1.2.25:::::::*
digium	asterisk	1.2.25	cpe:2.3:a:digium:asterisk:1.2.25:netsec::::::
digium	asterisk	1.2.26	cpe:2.3:a:digium:asterisk:1.2.26:::::::*
digium	asterisk	1.2.26	cpe:2.3:a:digium:asterisk:1.2.26:netsec::::::
digium	asterisk	1.2.26.1	cpe:2.3:a:digium:asterisk:1.2.26.1:::::::*
digium	asterisk	1.2.26.1	cpe:2.3:a:digium:asterisk:1.2.26.1:netsec::::::
digium	asterisk	1.2.26.2	cpe:2.3:a:digium:asterisk:1.2.26.2:::::::*
digium	asterisk	1.2.26.2	cpe:2.3:a:digium:asterisk:1.2.26.2:netsec::::::
digium	asterisk	1.2.27	cpe:2.3:a:digium:asterisk:1.2.27:::::::*
digium	asterisk	1.2.28	cpe:2.3:a:digium:asterisk:1.2.28:::::::*
digium	asterisk	1.2.28.1	cpe:2.3:a:digium:asterisk:1.2.28.1:::::::*
digium	asterisk	1.2.29	cpe:2.3:a:digium:asterisk:1.2.29:::::::*
digium	asterisk	1.2.30	cpe:2.3:a:digium:asterisk:1.2.30:::::::*
digium	asterisk	1.2.30.1	cpe:2.3:a:digium:asterisk:1.2.30.1:::::::*
digium	asterisk	1.2.30.2	cpe:2.3:a:digium:asterisk:1.2.30.2:::::::*
digium	asterisk	1.2.30.3	cpe:2.3:a:digium:asterisk:1.2.30.3:::::::*
digium	asterisk	1.2.30.4	cpe:2.3:a:digium:asterisk:1.2.30.4:::::::*
digium	asterisk	1.2.31	cpe:2.3:a:digium:asterisk:1.2.31:::::::*
digium	asterisk	1.2.31.1	cpe:2.3:a:digium:asterisk:1.2.31.1:::::::*
digium	asterisk	1.2.32	cpe:2.3:a:digium:asterisk:1.2.32:::::::*
digium	asterisk	1.2.33	cpe:2.3:a:digium:asterisk:1.2.33:::::::*
digium	asterisk	1.2.34	cpe:2.3:a:digium:asterisk:1.2.34:::::::*
digium	asterisk	1.4.0	cpe:2.3:a:digium:asterisk:1.4.0:::::::*
digium	asterisk	1.4.0	cpe:2.3:a:digium:asterisk:1.4.0:beta1::::::
digium	asterisk	1.4.0	cpe:2.3:a:digium:asterisk:1.4.0:beta2::::::
digium	asterisk	1.4.0	cpe:2.3:a:digium:asterisk:1.4.0:beta3::::::
digium	asterisk	1.4.0	cpe:2.3:a:digium:asterisk:1.4.0:beta4::::::
digium	asterisk	1.4.1	cpe:2.3:a:digium:asterisk:1.4.1:::::::*
digium	asterisk	1.4.2	cpe:2.3:a:digium:asterisk:1.4.2:::::::*
digium	asterisk	1.4.3	cpe:2.3:a:digium:asterisk:1.4.3:::::::*
digium	asterisk	1.4.4	cpe:2.3:a:digium:asterisk:1.4.4:::::::*
digium	asterisk	1.4.5	cpe:2.3:a:digium:asterisk:1.4.5:::::::*
digium	asterisk	1.4.6	cpe:2.3:a:digium:asterisk:1.4.6:::::::*
digium	asterisk	1.4.7	cpe:2.3:a:digium:asterisk:1.4.7:::::::*
digium	asterisk	1.4.7.1	cpe:2.3:a:digium:asterisk:1.4.7.1:::::::*
digium	asterisk	1.4.8	cpe:2.3:a:digium:asterisk:1.4.8:::::::*
digium	asterisk	1.4.9	cpe:2.3:a:digium:asterisk:1.4.9:::::::*

References for CVE-2009-3727

URL	Tags
http://downloads.asterisk.org/pub/security/AST-2009-008.html	Vendor Advisory
http://osvdb.org/59697
http://secunia.com/advisories/37265	Vendor Advisory
http://secunia.com/advisories/37479
http://secunia.com/advisories/37677
http://www.debian.org/security/2009/dsa-1952
http://www.securityfocus.com/bid/36924	Patch
http://www.securitytracker.com/id?1023133
https://bugzilla.redhat.com/show_bug.cgi?id=523277
https://bugzilla.redhat.com/show_bug.cgi?id=533137
https://www.redhat.com/archives/fedora-package-announce/2009-November/msg00789.html
https://www.redhat.com/archives/fedora-package-announce/2009-November/msg00838.html

URL

CVE-2009-3727

Exploit prediction scoring system (EPSS) score for CVE-2009-3727

Common vulnerability scoring system (CVSS) metrics for CVE-2009-3727

Weakness enumeration for CVE-2009-3727

OS Trackers for CVE-2009-3727

Affected software / configurations for CVE-2009-3727

References for CVE-2009-3727