CVE-2024-57520

CRITICAL

Sangoma Asterisk < 22.5.1 - Incorrect Permission Assignment

Title source: rule

Description

Insecure Permissions vulnerability in asterisk v22 allows a remote attacker to execute arbitrary code via the action_createconfig function. NOTE: this is disputed by the Supplier because the impact is limited to creating empty files outside of the Asterisk product directory (aka directory traversal) and the attack can only be performed by a privileged user who has the ability to manage the configuration.

References (2)

[Third Party Advisory] https://gist.github.com/hyp164D1/ae76ab25acfbe263b2ed7b24b6e5c621

[Issue Tracking] https://github.com/asterisk/asterisk/issues/1122

Scores

CVSS v3 9.8

EPSS 0.0352

EPSS Percentile 87.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-732

Status published

Products (1)

sangoma/asterisk 22.0.0 - 22.5.1

Published Feb 05, 2025

Tracked Since Feb 18, 2026