CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
EPSS
Percentile
59.1%
Asterisk is an open source private branch exchange (PBX) and telephony toolkit. Prior to asterisk versions 18.24.2, 20.9.2, and 21.4.2 and certified-asterisk versions 18.9-cert11 and 20.7-cert2, an AMI user with write=originate
may change all configuration files in the /etc/asterisk/
directory. This occurs because they are able to curl remote files and write them to disk, but are also able to append to existing files using the FILE
function inside the SET
application. This issue may result in privilege escalation, remote code execution and/or blind server-side request forgery with arbitrary protocol. Asterisk versions 18.24.2, 20.9.2, and 21.4.2 and certified-asterisk versions 18.9-cert11 and 20.7-cert2 contain a fix for this issue.
[
{
"vendor": "asterisk",
"product": "asterisk",
"versions": [
{
"version": "< 18.24.2",
"status": "affected"
},
{
"version": ">= 19.0.0, < 20.9.2",
"status": "affected"
},
{
"version": ">= 21.0.0, < 21.4.2",
"status": "affected"
},
{
"version": "< 18.9-cert11",
"status": "affected"
},
{
"version": ">= 19.0, < 20.7-cert2",
"status": "affected"
}
]
}
]
github.com/asterisk/asterisk/blob/14367caaf7241df1eceea7c45c5b261989c2c6db/main/manager.c#L6426
github.com/asterisk/asterisk/blob/7d28165cb1b2d02d66e8693bd3fe23ee72fc55d8/main/manager.c#L6426
github.com/asterisk/asterisk/commit/42a2f4ccfa2c7062a15063e765916b3332e34cc4
github.com/asterisk/asterisk/commit/7a0090325bfa9d778a39ae5f7d0a98109e4651c8
github.com/asterisk/asterisk/commit/b4063bf756272254b160b6d1bd6e9a3f8e16cc71
github.com/asterisk/asterisk/commit/bbe68db10ab8a80c29db383e4dfe14f6eafaf993
github.com/asterisk/asterisk/commit/faddd99f2b9408b524e5eb8a01589fe1fa282df2
github.com/asterisk/asterisk/security/advisories/GHSA-c4cg-9275-6w44