CVE-2023-49294

Published: Dic 14, 2023 Last Modified: Nov 21, 2024
ExploitDB:
Other exploit source:
Google Dorks:
MEDIUM 4,9
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: high
User Interaction: none
Scope: unchanged
Confidentiality: high
Integrity: none
Availability: none

Description

AI Translation Available

Asterisk is an open source private branch exchange and telephony toolkit. In Asterisk prior to versions 18.20.1, 20.5.1, and 21.0.1, as well as certified-asterisk prior to 18.9-cert6, it is possible to read any arbitrary file even when the `live_dangerously` is not enabled. This allows arbitrary files to be read. Asterisk versions 18.20.1, 20.5.1, and 21.0.1, as well as certified-asterisk prior to 18.9-cert6, contain a fix for this issue.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score
0,1036
Percentile
0,9th
Updated

EPSS Score Trend (Last 90 Days)

22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Stable
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Integrity Confidentiality Availability
Potential Impacts:
Execute Unauthorized Code Or Commands Modify Files Or Directories Read Files Or Directories Dos: Crash, Exit, Or Restart
Applicable Platforms
Technologies: AI/ML
Likelihood of Exploit: High
View CWE Details
Application

Certified Asterisk by Sangoma

Product Information
Vendor Sangoma
Product Certified Asterisk
Version 13.13.0
cpe:2.3:a:sangoma:certified_asterisk:13.13.0:cert1-rc4:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Certified Asterisk by Sangoma

Product Information
Vendor Sangoma
Product Certified Asterisk
Version 13.13.0
cpe:2.3:a:sangoma:certified_asterisk:13.13.0:cert3:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Certified Asterisk by Sangoma

Product Information
Vendor Sangoma
Product Certified Asterisk
Version 18.9
cpe:2.3:a:sangoma:certified_asterisk:18.9:cert3:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Certified Asterisk by Sangoma

Product Information
Vendor Sangoma
Product Certified Asterisk
Version 16.8.0
cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert4:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Certified Asterisk by Sangoma

Product Information
Vendor Sangoma
Product Certified Asterisk
Version 16.8.0
cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert8:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Certified Asterisk by Sangoma

Product Information
Vendor Sangoma
Product Certified Asterisk
Version 16.8.0
cpe:2.3:a:sangoma:certified_asterisk:16.8.0:-:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Certified Asterisk by Sangoma

Product Information
Vendor Sangoma
Product Certified Asterisk
Version 18.9
cpe:2.3:a:sangoma:certified_asterisk:18.9:cert5:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Certified Asterisk by Sangoma

Product Information
Vendor Sangoma
Product Certified Asterisk
Version 13.13.0
cpe:2.3:a:sangoma:certified_asterisk:13.13.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Certified Asterisk by Sangoma

Product Information
Vendor Sangoma
Product Certified Asterisk
Version 16.8.0
cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert7:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Certified Asterisk by Sangoma

Product Information
Vendor Sangoma
Product Certified Asterisk
Version 13.13.0
cpe:2.3:a:sangoma:certified_asterisk:13.13.0:cert2:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Certified Asterisk by Sangoma

Product Information
Vendor Sangoma
Product Certified Asterisk
Version 13.13.0
cpe:2.3:a:sangoma:certified_asterisk:13.13.0:cert1-rc2:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Certified Asterisk by Sangoma

Product Information
Vendor Sangoma
Product Certified Asterisk
Version 13.13.0
cpe:2.3:a:sangoma:certified_asterisk:13.13.0:rc1:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Certified Asterisk by Sangoma

Product Information
Vendor Sangoma
Product Certified Asterisk
Version 13.13.0
cpe:2.3:a:sangoma:certified_asterisk:13.13.0:cert1-rc1:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Certified Asterisk by Sangoma

Product Information
Vendor Sangoma
Product Certified Asterisk
Version 18.9
cpe:2.3:a:sangoma:certified_asterisk:18.9:cert1:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Certified Asterisk by Sangoma

Product Information
Vendor Sangoma
Product Certified Asterisk
Version 18.9
cpe:2.3:a:sangoma:certified_asterisk:18.9:cert4:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Certified Asterisk by Sangoma

Product Information
Vendor Sangoma
Product Certified Asterisk
Version 18.9
cpe:2.3:a:sangoma:certified_asterisk:18.9:cert2:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Certified Asterisk by Sangoma

Product Information
Vendor Sangoma
Product Certified Asterisk
Version 16.8.0
cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert2:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Certified Asterisk by Sangoma

Product Information
Vendor Sangoma
Product Certified Asterisk
Version 16.8.0
cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert3:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Asterisk by Digium

Product Information
Vendor Digium
Product Asterisk
Version Range Affected
To 18.20.1 (exclusive)
cpe:2.3:a:digium:asterisk:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Certified Asterisk by Sangoma

Product Information
Vendor Sangoma
Product Certified Asterisk
Version 16.8.0
cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert11:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Certified Asterisk by Sangoma

Product Information
Vendor Sangoma
Product Certified Asterisk
Version 16.8.0
cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert1:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Certified Asterisk by Sangoma

Product Information
Vendor Sangoma
Product Certified Asterisk
Version 16.8.0
cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert12:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Certified Asterisk by Sangoma

Product Information
Vendor Sangoma
Product Certified Asterisk
Version 13.13.0
cpe:2.3:a:sangoma:certified_asterisk:13.13.0:rc2:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Certified Asterisk by Sangoma

Product Information
Vendor Sangoma
Product Certified Asterisk
Version 16.8.0
cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert9:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Certified Asterisk by Sangoma

Product Information
Vendor Sangoma
Product Certified Asterisk
Version 16.8.0
cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert6:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Certified Asterisk by Sangoma

Product Information
Vendor Sangoma
Product Certified Asterisk
Version 13.13.0
cpe:2.3:a:sangoma:certified_asterisk:13.13.0:cert1:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Asterisk by Digium

Product Information
Vendor Digium
Product Asterisk
Version 21.0.0
cpe:2.3:a:digium:asterisk:21.0.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Certified Asterisk by Sangoma

Product Information
Vendor Sangoma
Product Certified Asterisk
Version 16.8.0
cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert5:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Certified Asterisk by Sangoma

Product Information
Vendor Sangoma
Product Certified Asterisk
Version 13.13.0
cpe:2.3:a:sangoma:certified_asterisk:13.13.0:cert1-rc3:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Certified Asterisk by Sangoma

Product Information
Vendor Sangoma
Product Certified Asterisk
Version 16.8.0
cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert10:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Asterisk by Digium

Product Information
Vendor Digium
Product Asterisk
Version Range Affected
From 19.0.0 (inclusive)
To 20.5.1 (exclusive)
cpe:2.3:a:digium:asterisk:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
https://github.com/asterisk/asterisk/blob/master/main/manag…
Product
https://github.com/asterisk/asterisk/blob/master/main/manager.c#L3757
https://github.com/asterisk/asterisk/commit/424be345639d75c…
Patch
https://github.com/asterisk/asterisk/commit/424be345639d75c6cb7d0bd2da5f0f407db…
https://github.com/asterisk/asterisk/security/advisories/GH…
Vendor Advisory
https://github.com/asterisk/asterisk/security/advisories/GHSA-8857-hfmw-vg8f
https://lists.debian.org/debian-lts-announce/2023/12/msg000…
https://lists.debian.org/debian-lts-announce/2023/12/msg00019.html
https://github.com/asterisk/asterisk/blob/master/main/manag…
Product
https://github.com/asterisk/asterisk/blob/master/main/manager.c#L3757
https://github.com/asterisk/asterisk/commit/424be345639d75c…
Patch
https://github.com/asterisk/asterisk/commit/424be345639d75c6cb7d0bd2da5f0f407db…
https://github.com/asterisk/asterisk/security/advisories/GH…
Vendor Advisory
https://github.com/asterisk/asterisk/security/advisories/GHSA-8857-hfmw-vg8f
https://lists.debian.org/debian-lts-announce/2023/12/msg000…
https://lists.debian.org/debian-lts-announce/2023/12/msg00019.html