Lucene search

K
freebsdFreeBSD7656FC62-A7A7-11E4-96BA-001999F8D30B
HistoryJan 12, 2015 - 12:00 a.m.

asterisk -- Mitigation for libcURL HTTP request injection vulnerability

2015-01-1200:00:00
vuxml.freebsd.org
30

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

EPSS

0.006

Percentile

78.0%

The Asterisk project reports:

CVE-2014-8150 reported an HTTP request injection
vulnerability in libcURL. Asterisk uses libcURL in its
func_curl.so module (the CURL() dialplan function), as
well as its res_config_curl.so (cURL realtime backend)
modules.
Since Asterisk may be configured to allow for user-supplied
URLs to be passed to libcURL, it is possible that an
attacker could use Asterisk as an attack vector to inject
unauthorized HTTP requests if the version of libcURL
installed on the Asterisk server is affected by
CVE-2014-8150.

OSVersionArchitecturePackageVersionFilename
FreeBSDanynoarchasterisk< 1.8.32.2UNKNOWN
FreeBSDanynoarchasterisk11< 11.15.1UNKNOWN
FreeBSDanynoarchasterisk13< 13.1.1UNKNOWN

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

EPSS

0.006

Percentile

78.0%