vulnerability
Ubuntu: USN-7416-1 (CVE-2020-28361): Kamailio vulnerabilities
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 6 | (AV:N/AC:L/Au:S/C:P/I:P/A:N) | Nov 18, 2020 | Apr 7, 2025 | Mar 27, 2026 |
Severity
6
CVSS
(AV:N/AC:L/Au:S/C:P/I:P/A:N)
Published
Nov 18, 2020
Added
Apr 7, 2025
Modified
Mar 27, 2026
Description
Kamailio before 5.4.0, as used in Sip Express Router (SER) in Sippy Softswitch 4.5 through 5.2 and other products, allows a bypass of a header-removal protection mechanism via whitespace characters. This occurs in the remove_hf function in the Kamailio textops module. Particular use of remove_hf in Sippy Softswitch may allow skilled attacker having a valid credential in the system to disrupt internal call start/duration accounting mechanisms leading potentially to a loss of revenue.
Solution
ubuntu-pro-upgrade-kamailio
References
- CVE-2020-28361
- https://attackerkb.com/topics/CVE-2020-28361
- CWE-444
- EUVD-EUVD-2020-20821
- UBUNTU-USN-7416-1
- https://euvd.enisa.europa.eu/vulnerability/EUVD-2020-20821
- https://packetstormsecurity.com/files/159030/Kamailio-5.4.0-Header-Smuggling.html
- https://support.sippysoft.com/support/discussions/topics/3000179616
- https://ubuntu.com/security/notices/USN-7416-1
- https://www.cve.org/CVERecord?id=CVE-2020-28361
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.