PT-2012-3866 · Digium · Asterisk Digiumphones+3

Zubair Ashraf

·

Publicado

2012-08-31

·

Atualizado

2024-08-15

·

CVE-2012-2186

CVSS v2.0

9.0

Alta

VetorAV:N/AC:L/Au:S/C:C/I:C/A:C
Name of the Vulnerable Software and Affected Versions Asterisk Open Source versions 1.8.x through 1.8.15.0 Asterisk Open Source versions 10.x through 10.7.0 Certified Asterisk version 1.8.11 through 1.8.11-cert5 Asterisk Digiumphones versions 10.x.x-digiumphones through 10.7.0-digiumphones Asterisk Business Edition versions C.3.x through C.3.7.5
Description The issue allows remote authenticated users to execute arbitrary commands by leveraging originate privileges and providing an ExternalIVR value in an AMI Originate action, such as "/api/originate" or similar API endpoints, by manipulating the ExternalIVR variable.
Recommendations For Asterisk Open Source versions 1.8.x through 1.8.15.0, update to version 1.8.15.1 or later. For Asterisk Open Source versions 10.x through 10.7.0, update to version 10.7.1 or later. For Certified Asterisk version 1.8.11 through 1.8.11-cert5, update to version 1.8.11-cert6 or later. For Asterisk Digiumphones versions 10.x.x-digiumphones through 10.7.0-digiumphones, update to version 10.7.1-digiumphones or later. For Asterisk Business Edition versions C.3.x through C.3.7.5, update to version C.3.7.6 or later.

Correção

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Identificadores relacionados

CVE-2012-2186
DSA-2550-1

Produtos afetados

Asterisk Business Edition
Asterisk Digiumphones
Asterisk Open Source
Certified Asterisk