CVE-2023-49294

Name of the Vulnerable Software and Affected Versions Asterisk versions prior to 18.20.1, 20.5.1, and 21.0.1 certified-asterisk versions prior to 18.9-cert6

Description The issue is related to the Asterisk Management Interface (AMI) and is caused by incorrect restriction of the directory path name with limited access. This allows an attacker to read arbitrary files using the GetConfig command, even when the live dangerously option is not enabled.

Recommendations For Asterisk versions prior to 18.20.1, update to version 18.20.1 or later. For Asterisk versions prior to 20.5.1, update to version 20.5.1 or later. For Asterisk versions prior to 21.0.1, update to version 21.0.1 or later. For certified-asterisk versions prior to 18.9-cert6, update to a version that contains the fix for this issue. As a temporary workaround, consider restricting access to the AMI interface until a patch is applied.