Vulnerabilities > CVE-2022-26499 - Server-Side Request Forgery (SSRF) vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
NONE Summary
An SSRF issue was discovered in Asterisk through 19.x. When using STIR/SHAKEN, it's possible to send arbitrary requests (such as GET) to interfaces such as localhost by using the Identity header. This is fixed in 16.25.2, 18.11.2, and 19.3.2.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
References
- http://packetstormsecurity.com/files/166745/Asterisk-Project-Security-Advisory-AST-2022-002.html
- http://packetstormsecurity.com/files/166745/Asterisk-Project-Security-Advisory-AST-2022-002.html
- https://downloads.asterisk.org/pub/security/
- https://downloads.asterisk.org/pub/security/
- https://downloads.asterisk.org/pub/security/AST-2022-002.html
- https://downloads.asterisk.org/pub/security/AST-2022-002.html
- https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html
- https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html
- https://www.debian.org/security/2022/dsa-5285
- https://www.debian.org/security/2022/dsa-5285