CVE-2023-49294
MEDIUMAsterisk <18.20.1, <20.5.1, <21.0.1 - Info Disclosure
Title source: llmDescription
Asterisk is an open source private branch exchange and telephony toolkit. In Asterisk prior to versions 18.20.1, 20.5.1, and 21.0.1, as well as certified-asterisk prior to 18.9-cert6, it is possible to read any arbitrary file even when the `live_dangerously` is not enabled. This allows arbitrary files to be read. Asterisk versions 18.20.1, 20.5.1, and 21.0.1, as well as certified-asterisk prior to 18.9-cert6, contain a fix for this issue.
References (4)
Core 4
Core References
Vendor Advisory x_refsource_confirm
https://github.com/asterisk/asterisk/security/advisories/GHSA-8857-hfmw-vg8f
Patch x_refsource_misc
https://github.com/asterisk/asterisk/commit/424be345639d75c6cb7d0bd2da5f0f407dbd0bd5
Product x_refsource_misc
https://github.com/asterisk/asterisk/blob/master/main/manager.c#L3757
Scores
CVSS v3
4.9
EPSS
0.1709
EPSS Percentile
95.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-22
Status
published
Products (5)
digium/asterisk
21.0.0
digium/asterisk
< 18.20.1
sangoma/certified_asterisk
13.13.0 (10 CPE variants)
sangoma/certified_asterisk
16.8.0 (13 CPE variants)
sangoma/certified_asterisk
18.9 cert1 (5 CPE variants)
Published
Dec 14, 2023
Tracked Since
Feb 18, 2026