Vulnerabilities > CVE-2019-18610 - Missing Authorization vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
An issue was discovered in manager.c in Sangoma Asterisk through 13.x, 16.x, 17.x and Certified Asterisk 13.21 through 13.21-cert4. A remote authenticated Asterisk Manager Interface (AMI) user without system authorization could use a specially crafted Originate AMI request to execute arbitrary system commands.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family | FreeBSD Local Security Checks |
NASL id | FREEBSD_PKG_49B61AB60D0411EA87CA001999F8D30B.NASL |
description | The Asterisk project reports : A remote authenticated Asterisk Manager Interface (AMI) user without system authorization could use a specially crafted Originate AMI request to execute arbitrary system commands. |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 131260 |
published | 2019-11-25 |
reporter | This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. |
source | https://www.tenable.com/plugins/nessus/131260 |
title | FreeBSD : asterisk -- AMI user could execute system commands (49b61ab6-0d04-11ea-87ca-001999f8d30b) |
code |
|
References
- http://downloads.asterisk.org/pub/security/AST-2019-007.html
- http://downloads.asterisk.org/pub/security/AST-2019-007.html
- https://lists.debian.org/debian-lts-announce/2019/11/msg00038.html
- https://lists.debian.org/debian-lts-announce/2019/11/msg00038.html
- https://lists.debian.org/debian-lts-announce/2022/04/msg00001.html
- https://lists.debian.org/debian-lts-announce/2022/04/msg00001.html
- https://www.asterisk.org/downloads/security-advisories
- https://www.asterisk.org/downloads/security-advisories