CVE-2012-2414

Asterisk Open Source <10.3.1 - Command Injection

Title source: llm
STIX 2.1

Description

main/manager.c in the Manager Interface in Asterisk Open Source 1.6.2.x before 1.6.2.24, 1.8.x before 1.8.11.1, and 10.x before 10.3.1 and Asterisk Business Edition C.3.x before C.3.7.4 does not properly enforce System class authorization requirements, which allows remote authenticated users to execute arbitrary commands via (1) the originate action in the MixMonitor application, (2) the SHELL and EVAL functions in the GetVar manager action, or (3) the SHELL and EVAL functions in the Status manager action.

References (9)

Core 9
Core References
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2012/dsa-2460
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/81454
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1026961
Patch, Vendor Advisory x_refsource_confirm
http://downloads.asterisk.org/pub/security/AST-2012-004.html
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/48941
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/53206
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/75100
Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/079759.html
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/48891

Scores

EPSS 0.0272
EPSS Percentile 84.2%

Details

CWE
CWE-287
Status published
Products (22)
asterisk/open_source 1.6.2.0 (8 CPE variants)
asterisk/open_source 1.6.2.1 (2 CPE variants)
asterisk/open_source 1.6.2.2
asterisk/open_source 1.6.2.3 rc2
asterisk/open_source 1.6.2.4
asterisk/open_source 1.6.2.5
asterisk/open_source 1.6.2.6 (3 CPE variants)
asterisk/open_source 1.6.2.7 (4 CPE variants)
asterisk/open_source 1.6.2.8 (2 CPE variants)
asterisk/open_source 1.6.2.9 (4 CPE variants)
... and 12 more
Published Apr 30, 2012
Tracked Since Feb 18, 2026