CVE-2012-2414

Asterisk Open Source <10.3.1 - Command Injection

Title source: llm

Description

main/manager.c in the Manager Interface in Asterisk Open Source 1.6.2.x before 1.6.2.24, 1.8.x before 1.8.11.1, and 10.x before 10.3.1 and Asterisk Business Edition C.3.x before C.3.7.4 does not properly enforce System class authorization requirements, which allows remote authenticated users to execute arbitrary commands via (1) the originate action in the MixMonitor application, (2) the SHELL and EVAL functions in the GetVar manager action, or (3) the SHELL and EVAL functions in the Status manager action.

References (9)

[Patch, Vendor Advisory] http://downloads.asterisk.org/pub/security/AST-2012-004.html

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/53206

[Mailing List, Third Party Advisory] http://lists.fedoraproject.org/pipermail/package-announce/2012-May/079759.html

[Third Party Advisory] http://www.debian.org/security/2012/dsa-2460

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/75100

[Third Party Advisory, VDB Entry] http://osvdb.org/81454

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id?1026961

[Third Party Advisory] http://secunia.com/advisories/48891

[Third Party Advisory] http://secunia.com/advisories/48941

Scores

EPSS 0.0428

EPSS Percentile 88.7%

Classification

CWE

CWE-287

Status draft

Affected Products (50)

asterisk/open_source

asterisk/open_source

asterisk/open_source

asterisk/open_source

asterisk/open_source

asterisk/open_source

asterisk/open_source

asterisk/open_source

asterisk/open_source

asterisk/open_source

asterisk/open_source

asterisk/open_source

asterisk/open_source

asterisk/open_source

asterisk/open_source

... and 35 more

Timeline

Published Apr 30, 2012

Tracked Since Feb 18, 2026