PT-2022-17984 · Sangoma+1 · Asterisk+1
Leandro Dardini
·
Published
2020-07-06
·
Updated
2023-02-02
·
CVE-2022-26651
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Asterisk versions prior to 16.25.2
Asterisk versions prior to 18.11.2
Asterisk versions prior to 19.3.2
Certified Asterisk versions prior to 16.8-cert14
Description
An issue was discovered in the func odbc module, which provides possibly inadequate escaping functionality for backslash characters in SQL queries. This could result in user-provided data creating a broken SQL query or possibly a SQL injection.
Recommendations
For Asterisk versions prior to 16.25.2, update to version 16.25.2 or later.
For Asterisk versions prior to 18.11.2, update to version 18.11.2 or later.
For Asterisk versions prior to 19.3.2, update to version 19.3.2 or later.
For Certified Asterisk versions prior to 16.8-cert14, update to version 16.8-cert14 or later.
As a temporary workaround, consider disabling the func odbc module until a patch is available.
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Asterisk