PT-2022-17903 · Asterisk · Asterisk
Clint Ruoho
·
Published
2022-04-15
·
Updated
2023-02-02
·
CVE-2022-26499
CVSS v3.1
9.1
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Asterisk versions prior to 16.25.2
Asterisk versions prior to 18.11.2
Asterisk versions prior to 19.3.2
Description
An issue was discovered in Asterisk. When using STIR/SHAKEN, it's possible to send arbitrary requests, such as GET, to interfaces like localhost by using the
Identity header.Recommendations
For versions prior to 16.25.2, update to version 16.25.2 or later.
For versions prior to 18.11.2, update to version 18.11.2 or later.
For versions prior to 19.3.2, update to version 19.3.2 or later.
As a temporary workaround, consider restricting the use of the
Identity header when using STIR/SHAKEN until a patch is applied.Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Asterisk