CVE-2017-14100

CRITICAL

Asterisk <11.25.2-14.6.1 - Command Injection

Title source: llm
STIX 2.1

Description

In Asterisk 11.x before 11.25.2, 13.x before 13.17.1, and 14.x before 14.6.1 and Certified Asterisk 11.x before 11.6-cert17 and 13.x before 13.13-cert5, unauthorized command execution is possible. The app_minivm module has an "externnotify" program configuration option that is executed by the MinivmNotify dialplan application. The application uses the caller-id name and number as part of a built string passed to the OS shell for interpretation and execution. Since the caller-id name and number can come from an untrusted source, a crafted caller-id name or number allows an arbitrary shell command injection.

References (6)

Core 6
Core References
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://issues.asterisk.org/jira/browse/ASTERISK-27103
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1039252
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://bugs.debian.org/873908
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/201710-29
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2017/dsa-3964

Scores

CVSS v3 9.8
EPSS 0.1491
EPSS Percentile 96.3%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-78
Status published
Products (34)
digium/asterisk 13.0.0 (4 CPE variants)
digium/asterisk 13.0.1
digium/asterisk 13.0.2
digium/asterisk 13.1.0 (3 CPE variants)
digium/asterisk 13.1.1
digium/asterisk 13.2.0 (2 CPE variants)
digium/asterisk 13.2.1
digium/asterisk 13.3.0 rc1
digium/asterisk 13.3.2
digium/asterisk 13.4.0 (2 CPE variants)
... and 24 more
Published Sep 02, 2017
Tracked Since Feb 18, 2026