Lucene search

K
freebsdFreeBSD7656FC62-A7A7-11E4-96BA-001999F8D30B
HistoryJan 12, 2015 - 12:00 a.m.

asterisk -- Mitigation for libcURL HTTP request injection vulnerability

2015-01-1200:00:00
vuxml.freebsd.org
21

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.005 Low

EPSS

Percentile

76.9%

The Asterisk project reports:

CVE-2014-8150 reported an HTTP request injection
vulnerability in libcURL. Asterisk uses libcURL in its
func_curl.so module (the CURL() dialplan function), as
well as its res_config_curl.so (cURL realtime backend)
modules.
Since Asterisk may be configured to allow for user-supplied
URLs to be passed to libcURL, it is possible that an
attacker could use Asterisk as an attack vector to inject
unauthorized HTTP requests if the version of libcURL
installed on the Asterisk server is affected by
CVE-2014-8150.

OSVersionArchitecturePackageVersionFilename
FreeBSDanynoarchasterisk< 1.8.32.2UNKNOWN
FreeBSDanynoarchasterisk11< 11.15.1UNKNOWN
FreeBSDanynoarchasterisk13< 13.1.1UNKNOWN

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.005 Low

EPSS

Percentile

76.9%

Related for 7656FC62-A7A7-11E4-96BA-001999F8D30B