cvelistv5 - CVE-2022-42706

CVE-2022-42706

Vulnerability from cvelistv5

Published

2022-12-05 00:00

Modified

2024-08-03 13:10

Severity ?

Summary

An issue was discovered in Sangoma Asterisk through 16.28, 17 and 18 through 18.14, 19 through 19.6, and certified through 18.9-cert1. GetConfig, via Asterisk Manager Interface, allows a connected application to access files outside of the asterisk configuration directory, aka Directory Traversal.

References

URL	Tags
cve@mitre.org	https://downloads.asterisk.org/pub/security/AST-2022-009.html	Patch, Vendor Advisory
cve@mitre.org	https://lists.debian.org/debian-lts-announce/2023/02/msg00029.html
cve@mitre.org	https://www.debian.org/security/2023/dsa-5358
af854a3a-2127-422b-91ae-364da2661108	https://downloads.asterisk.org/pub/security/AST-2022-009.html	Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2023/02/msg00029.html
af854a3a-2127-422b-91ae-364da2661108	https://www.debian.org/security/2023/dsa-5358

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T13:10:41.367Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://downloads.asterisk.org/pub/security/AST-2022-009.html"
          },
          {
            "name": "[debian-lts-announce] 20230222 [SECURITY] [DLA 3335-1] asterisk security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00029.html"
          },
          {
            "name": "DSA-5358",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2023/dsa-5358"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Sangoma Asterisk through 16.28, 17 and 18 through 18.14, 19 through 19.6, and certified through 18.9-cert1. GetConfig, via Asterisk Manager Interface, allows a connected application to access files outside of the asterisk configuration directory, aka Directory Traversal."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-02-23T00:00:00",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://downloads.asterisk.org/pub/security/AST-2022-009.html"
        },
        {
          "name": "[debian-lts-announce] 20230222 [SECURITY] [DLA 3335-1] asterisk security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00029.html"
        },
        {
          "name": "DSA-5358",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.debian.org/security/2023/dsa-5358"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2022-42706",
    "datePublished": "2022-12-05T00:00:00",
    "dateReserved": "2022-10-10T00:00:00",
    "dateUpdated": "2024-08-03T13:10:41.367Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-42706\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2022-12-05T21:15:10.227\",\"lastModified\":\"2024-11-21T07:25:11.513\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An issue was discovered in Sangoma Asterisk through 16.28, 17 and 18 through 18.14, 19 through 19.6, and certified through 18.9-cert1. GetConfig, via Asterisk Manager Interface, allows a connected application to access files outside of the asterisk configuration directory, aka Directory Traversal.\"},{\"lang\":\"es\",\"value\":\"Se descubri\u00f3 un problema en Sangoma Asterisk hasta 16.28, 17 y 18 hasta 18.14, 19 hasta 19.6 y se certific\u00f3 hasta 18.9-cert1. GetConfig, a trav\u00e9s de la interfaz de Asterisk Manager, permite que una aplicaci\u00f3n conectada acceda a archivos fuera del directorio de configuraci\u00f3n de Asterisk, aka como Directory Traversal.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":4.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.2,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"16.0.0\",\"versionEndExcluding\":\"16.29.1\",\"matchCriteriaId\":\"3632620E-8A6D-4D65-BED9-80C0E7CEA8DD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"17.0.0\",\"versionEndExcluding\":\"18.15.1\",\"matchCriteriaId\":\"EF6570E5-A413-42C2-87E2-873F65BE20D5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"19.0.0\",\"versionEndExcluding\":\"19.7.1\",\"matchCriteriaId\":\"A1A640E6-6378-4FA4-98B5-C32B5A937F7B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sangoma:asterisk:20.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"ADB799D3-B6BE-468C-8D3E-B087ED287B24\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sangoma:certified_asterisk:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"18.9\",\"matchCriteriaId\":\"B71A493F-F47B-4F19-AD21-3800DE63DF5A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sangoma:certified_asterisk:18.9:cert1:*:*:*:*:*:*\",\"matchCriteriaId\":\"79EEB5E5-B79E-454B-8DCD-3272BA337A9E\"}]}]}],\"references\":[{\"url\":\"https://downloads.asterisk.org/pub/security/AST-2022-009.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2023/02/msg00029.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://www.debian.org/security/2023/dsa-5358\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://downloads.asterisk.org/pub/security/AST-2022-009.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2023/02/msg00029.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.debian.org/security/2023/dsa-5358\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}

fkie_cve-2022-42706

Vulnerability from fkie_nvd

Published

2022-12-05 21:15

Modified

2024-11-21 07:25

Severity ?

4.9 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Summary

References

URL	Tags
cve@mitre.org	https://downloads.asterisk.org/pub/security/AST-2022-009.html	Patch, Vendor Advisory
cve@mitre.org	https://lists.debian.org/debian-lts-announce/2023/02/msg00029.html
cve@mitre.org	https://www.debian.org/security/2023/dsa-5358
af854a3a-2127-422b-91ae-364da2661108	https://downloads.asterisk.org/pub/security/AST-2022-009.html	Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2023/02/msg00029.html
af854a3a-2127-422b-91ae-364da2661108	https://www.debian.org/security/2023/dsa-5358

Impacted products

Vendor	Product	Version
sangoma	asterisk	*
sangoma	asterisk	*
sangoma	asterisk	*
sangoma	asterisk	20.0.0
sangoma	certified_asterisk	*
sangoma	certified_asterisk	18.9

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "3632620E-8A6D-4D65-BED9-80C0E7CEA8DD",
              "versionEndExcluding": "16.29.1",
              "versionStartIncluding": "16.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "EF6570E5-A413-42C2-87E2-873F65BE20D5",
              "versionEndExcluding": "18.15.1",
              "versionStartIncluding": "17.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A1A640E6-6378-4FA4-98B5-C32B5A937F7B",
              "versionEndExcluding": "19.7.1",
              "versionStartIncluding": "19.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sangoma:asterisk:20.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "ADB799D3-B6BE-468C-8D3E-B087ED287B24",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sangoma:certified_asterisk:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B71A493F-F47B-4F19-AD21-3800DE63DF5A",
              "versionEndExcluding": "18.9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sangoma:certified_asterisk:18.9:cert1:*:*:*:*:*:*",
              "matchCriteriaId": "79EEB5E5-B79E-454B-8DCD-3272BA337A9E",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "An issue was discovered in Sangoma Asterisk through 16.28, 17 and 18 through 18.14, 19 through 19.6, and certified through 18.9-cert1. GetConfig, via Asterisk Manager Interface, allows a connected application to access files outside of the asterisk configuration directory, aka Directory Traversal."
    },
    {
      "lang": "es",
      "value": "Se descubri\u00f3 un problema en Sangoma Asterisk hasta 16.28, 17 y 18 hasta 18.14, 19 hasta 19.6 y se certific\u00f3 hasta 18.9-cert1. GetConfig, a trav\u00e9s de la interfaz de Asterisk Manager, permite que una aplicaci\u00f3n conectada acceda a archivos fuera del directorio de configuraci\u00f3n de Asterisk, aka como Directory Traversal."
    }
  ],
  "id": "CVE-2022-42706",
  "lastModified": "2024-11-21T07:25:11.513",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.9,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-12-05T21:15:10.227",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://downloads.asterisk.org/pub/security/AST-2022-009.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00029.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://www.debian.org/security/2023/dsa-5358"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://downloads.asterisk.org/pub/security/AST-2022-009.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00029.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://www.debian.org/security/2023/dsa-5358"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

WID-SEC-W-2022-2218

Vulnerability from csaf_certbund

Published

2022-12-01 23:00

Modified

2024-12-08 23:00

Summary

Asterisk: Mehrere Schwachstellen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Asterisk ist eine komplette Open Source Multiprotokoll Telefonanlage (PBX) auf Softwarebasis.

Angriff

Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Asterisk ausnutzen, um einen Denial of Service Angriff durchzuführen oder Informationen offenzulegen.

Betroffene Betriebssysteme

- Linux - Sonstiges - UNIX - Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Asterisk ist eine komplette Open Source Multiprotokoll Telefonanlage (PBX) auf Softwarebasis.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Asterisk ausnutzen, um einen Denial of Service Angriff durchzuf\u00fchren oder Informationen offenzulegen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- Sonstiges\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2022-2218 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2022/wid-sec-w-2022-2218.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2022-2218 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-2218"
      },
      {
        "category": "external",
        "summary": "Asterisk Security Advisory AST-2022-007 vom 2022-12-01",
        "url": "https://downloads.asterisk.org/pub/security/AST-2022-007.html"
      },
      {
        "category": "external",
        "summary": "Asterisk Security Advisory AST-2022-008 vom 2022-12-01",
        "url": "https://downloads.asterisk.org/pub/security/AST-2022-008.html"
      },
      {
        "category": "external",
        "summary": "Asterisk Security Advisory AST-2022-009 vom 2022-12-01",
        "url": "https://downloads.asterisk.org/pub/security/AST-2022-009.html"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DLA-3335 vom 2023-02-23",
        "url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00029.html"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DSA-5358 vom 2023-02-23",
        "url": "https://lists.debian.org/debian-security-announce/2023/msg00047.html"
      },
      {
        "category": "external",
        "summary": "Gentoo Linux Security Advisory GLSA-202412-03 vom 2024-12-07",
        "url": "https://security.gentoo.org/glsa/202412-03"
      }
    ],
    "source_lang": "en-US",
    "title": "Asterisk: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2024-12-08T23:00:00.000+00:00",
      "generator": {
        "date": "2024-12-09T09:22:01.768+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.10"
        }
      },
      "id": "WID-SEC-W-2022-2218",
      "initial_release_date": "2022-12-01T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2022-12-01T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2023-02-22T23:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von Debian aufgenommen"
        },
        {
          "date": "2024-12-08T23:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von Gentoo aufgenommen"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Debian Linux",
            "product": {
              "name": "Debian Linux",
              "product_id": "2951",
              "product_identification_helper": {
                "cpe": "cpe:/o:debian:debian_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Debian"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c18.9-cert3",
                "product": {
                  "name": "Digium Certified Asterisk \u003c18.9-cert3",
                  "product_id": "T025465"
                }
              },
              {
                "category": "product_version",
                "name": "18.9-cert3",
                "product": {
                  "name": "Digium Certified Asterisk 18.9-cert3",
                  "product_id": "T025465-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:digium:certified_asterisk:18.9-cert3"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Certified Asterisk"
          }
        ],
        "category": "vendor",
        "name": "Digium"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Gentoo Linux",
            "product": {
              "name": "Gentoo Linux",
              "product_id": "T012167",
              "product_identification_helper": {
                "cpe": "cpe:/o:gentoo:linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Gentoo"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c16.29.1",
                "product": {
                  "name": "Open Source Asterisk \u003c16.29.1",
                  "product_id": "T025458"
                }
              },
              {
                "category": "product_version",
                "name": "16.29.1",
                "product": {
                  "name": "Open Source Asterisk 16.29.1",
                  "product_id": "T025458-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:digium:asterisk:16.29.1"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c18.15.1",
                "product": {
                  "name": "Open Source Asterisk \u003c18.15.1",
                  "product_id": "T025459"
                }
              },
              {
                "category": "product_version",
                "name": "18.15.1",
                "product": {
                  "name": "Open Source Asterisk 18.15.1",
                  "product_id": "T025459-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:digium:asterisk:18.15.1"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c19.7.1",
                "product": {
                  "name": "Open Source Asterisk \u003c19.7.1",
                  "product_id": "T025460"
                }
              },
              {
                "category": "product_version",
                "name": "19.7.1",
                "product": {
                  "name": "Open Source Asterisk 19.7.1",
                  "product_id": "T025460-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:digium:asterisk:19.7.1"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c20.0.1",
                "product": {
                  "name": "Open Source Asterisk \u003c20.0.1",
                  "product_id": "T025461"
                }
              },
              {
                "category": "product_version",
                "name": "20.0.1",
                "product": {
                  "name": "Open Source Asterisk 20.0.1",
                  "product_id": "T025461-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:digium:asterisk:20.0.1"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Asterisk"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-37325",
      "notes": [
        {
          "category": "description",
          "text": "Es existiert eine Schwachstelle in Asterisk. Diese ist auf einen Integer-Unterlauf im \"h323\"-Modul zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um einen Denial of Service Zustand herbeizuf\u00fchren."
        }
      ],
      "product_status": {
        "known_affected": [
          "T025460",
          "2951",
          "T025459",
          "T025458",
          "T025465",
          "T012167",
          "T025461"
        ]
      },
      "release_date": "2022-12-01T23:00:00.000+00:00",
      "title": "CVE-2022-37325"
    },
    {
      "cve": "CVE-2022-42705",
      "notes": [
        {
          "category": "description",
          "text": "Es existiert eine Schwachstelle in Asterisk. Diese ist auf einen Use-after-Free-Fehler in \"res_pjsip_pubsub.c\" zur\u00fcckzuf\u00fchren. Ein entfernter, authentisierter Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuf\u00fchren."
        }
      ],
      "product_status": {
        "known_affected": [
          "T025460",
          "2951",
          "T025459",
          "T025458",
          "T025465",
          "T012167",
          "T025461"
        ]
      },
      "release_date": "2022-12-01T23:00:00.000+00:00",
      "title": "CVE-2022-42705"
    },
    {
      "cve": "CVE-2022-42706",
      "notes": [
        {
          "category": "description",
          "text": "Es existiert eine Schwachstelle in Asterisk. Nutzer mit der \"config\"-Berechtigung k\u00f6nnen Dateien ausserhalb des Asterisk-Verzeichnisses lesen. Ein entfernter, authentisierter Angreifer kann diese Schwachstelle ausnutzen, um Informationen offenzulegen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T025460",
          "2951",
          "T025459",
          "T025458",
          "T025465",
          "T012167",
          "T025461"
        ]
      },
      "release_date": "2022-12-01T23:00:00.000+00:00",
      "title": "CVE-2022-42706"
    }
  ]
}

wid-sec-w-2022-2218

Vulnerability from csaf_certbund

Published

2022-12-01 23:00

Modified

2024-12-08 23:00

Summary

Asterisk: Mehrere Schwachstellen

Notes

Produktbeschreibung

Asterisk ist eine komplette Open Source Multiprotokoll Telefonanlage (PBX) auf Softwarebasis.

Angriff

Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Asterisk ausnutzen, um einen Denial of Service Angriff durchzuführen oder Informationen offenzulegen.

Betroffene Betriebssysteme

- Linux - Sonstiges - UNIX - Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Asterisk ist eine komplette Open Source Multiprotokoll Telefonanlage (PBX) auf Softwarebasis.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Asterisk ausnutzen, um einen Denial of Service Angriff durchzuf\u00fchren oder Informationen offenzulegen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- Sonstiges\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2022-2218 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2022/wid-sec-w-2022-2218.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2022-2218 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-2218"
      },
      {
        "category": "external",
        "summary": "Asterisk Security Advisory AST-2022-007 vom 2022-12-01",
        "url": "https://downloads.asterisk.org/pub/security/AST-2022-007.html"
      },
      {
        "category": "external",
        "summary": "Asterisk Security Advisory AST-2022-008 vom 2022-12-01",
        "url": "https://downloads.asterisk.org/pub/security/AST-2022-008.html"
      },
      {
        "category": "external",
        "summary": "Asterisk Security Advisory AST-2022-009 vom 2022-12-01",
        "url": "https://downloads.asterisk.org/pub/security/AST-2022-009.html"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DLA-3335 vom 2023-02-23",
        "url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00029.html"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DSA-5358 vom 2023-02-23",
        "url": "https://lists.debian.org/debian-security-announce/2023/msg00047.html"
      },
      {
        "category": "external",
        "summary": "Gentoo Linux Security Advisory GLSA-202412-03 vom 2024-12-07",
        "url": "https://security.gentoo.org/glsa/202412-03"
      }
    ],
    "source_lang": "en-US",
    "title": "Asterisk: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2024-12-08T23:00:00.000+00:00",
      "generator": {
        "date": "2024-12-09T09:22:01.768+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.10"
        }
      },
      "id": "WID-SEC-W-2022-2218",
      "initial_release_date": "2022-12-01T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2022-12-01T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2023-02-22T23:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von Debian aufgenommen"
        },
        {
          "date": "2024-12-08T23:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von Gentoo aufgenommen"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Debian Linux",
            "product": {
              "name": "Debian Linux",
              "product_id": "2951",
              "product_identification_helper": {
                "cpe": "cpe:/o:debian:debian_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Debian"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c18.9-cert3",
                "product": {
                  "name": "Digium Certified Asterisk \u003c18.9-cert3",
                  "product_id": "T025465"
                }
              },
              {
                "category": "product_version",
                "name": "18.9-cert3",
                "product": {
                  "name": "Digium Certified Asterisk 18.9-cert3",
                  "product_id": "T025465-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:digium:certified_asterisk:18.9-cert3"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Certified Asterisk"
          }
        ],
        "category": "vendor",
        "name": "Digium"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Gentoo Linux",
            "product": {
              "name": "Gentoo Linux",
              "product_id": "T012167",
              "product_identification_helper": {
                "cpe": "cpe:/o:gentoo:linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Gentoo"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c16.29.1",
                "product": {
                  "name": "Open Source Asterisk \u003c16.29.1",
                  "product_id": "T025458"
                }
              },
              {
                "category": "product_version",
                "name": "16.29.1",
                "product": {
                  "name": "Open Source Asterisk 16.29.1",
                  "product_id": "T025458-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:digium:asterisk:16.29.1"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c18.15.1",
                "product": {
                  "name": "Open Source Asterisk \u003c18.15.1",
                  "product_id": "T025459"
                }
              },
              {
                "category": "product_version",
                "name": "18.15.1",
                "product": {
                  "name": "Open Source Asterisk 18.15.1",
                  "product_id": "T025459-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:digium:asterisk:18.15.1"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c19.7.1",
                "product": {
                  "name": "Open Source Asterisk \u003c19.7.1",
                  "product_id": "T025460"
                }
              },
              {
                "category": "product_version",
                "name": "19.7.1",
                "product": {
                  "name": "Open Source Asterisk 19.7.1",
                  "product_id": "T025460-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:digium:asterisk:19.7.1"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c20.0.1",
                "product": {
                  "name": "Open Source Asterisk \u003c20.0.1",
                  "product_id": "T025461"
                }
              },
              {
                "category": "product_version",
                "name": "20.0.1",
                "product": {
                  "name": "Open Source Asterisk 20.0.1",
                  "product_id": "T025461-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:digium:asterisk:20.0.1"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Asterisk"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-37325",
      "notes": [
        {
          "category": "description",
          "text": "Es existiert eine Schwachstelle in Asterisk. Diese ist auf einen Integer-Unterlauf im \"h323\"-Modul zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um einen Denial of Service Zustand herbeizuf\u00fchren."
        }
      ],
      "product_status": {
        "known_affected": [
          "T025460",
          "2951",
          "T025459",
          "T025458",
          "T025465",
          "T012167",
          "T025461"
        ]
      },
      "release_date": "2022-12-01T23:00:00.000+00:00",
      "title": "CVE-2022-37325"
    },
    {
      "cve": "CVE-2022-42705",
      "notes": [
        {
          "category": "description",
          "text": "Es existiert eine Schwachstelle in Asterisk. Diese ist auf einen Use-after-Free-Fehler in \"res_pjsip_pubsub.c\" zur\u00fcckzuf\u00fchren. Ein entfernter, authentisierter Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuf\u00fchren."
        }
      ],
      "product_status": {
        "known_affected": [
          "T025460",
          "2951",
          "T025459",
          "T025458",
          "T025465",
          "T012167",
          "T025461"
        ]
      },
      "release_date": "2022-12-01T23:00:00.000+00:00",
      "title": "CVE-2022-42705"
    },
    {
      "cve": "CVE-2022-42706",
      "notes": [
        {
          "category": "description",
          "text": "Es existiert eine Schwachstelle in Asterisk. Nutzer mit der \"config\"-Berechtigung k\u00f6nnen Dateien ausserhalb des Asterisk-Verzeichnisses lesen. Ein entfernter, authentisierter Angreifer kann diese Schwachstelle ausnutzen, um Informationen offenzulegen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T025460",
          "2951",
          "T025459",
          "T025458",
          "T025465",
          "T012167",
          "T025461"
        ]
      },
      "release_date": "2022-12-01T23:00:00.000+00:00",
      "title": "CVE-2022-42706"
    }
  ]
}

gsd-2022-42706

Vulnerability from gsd

Modified

2023-12-13 01:19

Details

Aliases

CVE-2022-42706

Aliases

CVE-2022-42706

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-42706",
    "description": "An issue was discovered in Sangoma Asterisk through 16.28, 17 and 18 through 18.14, 19 through 19.6, and certified through 18.9-cert1. GetConfig, via Asterisk Manager Interface, allows a connected application to access files outside of the asterisk configuration directory, aka Directory Traversal.",
    "id": "GSD-2022-42706",
    "references": [
      "https://www.debian.org/security/2023/dsa-5358"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-42706"
      ],
      "details": "An issue was discovered in Sangoma Asterisk through 16.28, 17 and 18 through 18.14, 19 through 19.6, and certified through 18.9-cert1. GetConfig, via Asterisk Manager Interface, allows a connected application to access files outside of the asterisk configuration directory, aka Directory Traversal.",
      "id": "GSD-2022-42706",
      "modified": "2023-12-13T01:19:10.867023Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2022-42706",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "An issue was discovered in Sangoma Asterisk through 16.28, 17 and 18 through 18.14, 19 through 19.6, and certified through 18.9-cert1. GetConfig, via Asterisk Manager Interface, allows a connected application to access files outside of the asterisk configuration directory, aka Directory Traversal."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://downloads.asterisk.org/pub/security/AST-2022-009.html",
            "refsource": "MISC",
            "url": "https://downloads.asterisk.org/pub/security/AST-2022-009.html"
          },
          {
            "name": "[debian-lts-announce] 20230222 [SECURITY] [DLA 3335-1] asterisk security update",
            "refsource": "MLIST",
            "url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00029.html"
          },
          {
            "name": "DSA-5358",
            "refsource": "DEBIAN",
            "url": "https://www.debian.org/security/2023/dsa-5358"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "19.7.1",
                "versionStartIncluding": "19.0.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sangoma:certified_asterisk:18.9:cert1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "18.15.1",
                "versionStartIncluding": "17.0.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "16.29.1",
                "versionStartIncluding": "16.0.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sangoma:certified_asterisk:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "18.9",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sangoma:asterisk:20.0.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2022-42706"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "An issue was discovered in Sangoma Asterisk through 16.28, 17 and 18 through 18.14, 19 through 19.6, and certified through 18.9-cert1. GetConfig, via Asterisk Manager Interface, allows a connected application to access files outside of the asterisk configuration directory, aka Directory Traversal."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-22"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://downloads.asterisk.org/pub/security/AST-2022-009.html",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Vendor Advisory"
              ],
              "url": "https://downloads.asterisk.org/pub/security/AST-2022-009.html"
            },
            {
              "name": "[debian-lts-announce] 20230222 [SECURITY] [DLA 3335-1] asterisk security update",
              "refsource": "MLIST",
              "tags": [],
              "url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00029.html"
            },
            {
              "name": "DSA-5358",
              "refsource": "DEBIAN",
              "tags": [],
              "url": "https://www.debian.org/security/2023/dsa-5358"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 1.2,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2023-02-24T00:15Z",
      "publishedDate": "2022-12-05T21:15Z"
    }
  }
}

ghsa-phq9-6f4r-97wc

Vulnerability from github

Published

2022-12-05 21:30

Modified

2022-12-07 21:30

Severity ?

4.9 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2022-42706"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-05T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in Sangoma Asterisk through 16.28, 17 and 18 through 18.14, 19 through 19.6, and certified through 18.9-cert1. GetConfig, via Asterisk Manager Interface, allows a connected application to access files outside of the asterisk configuration directory, aka Directory Traversal.",
  "id": "GHSA-phq9-6f4r-97wc",
  "modified": "2022-12-07T21:30:30Z",
  "published": "2022-12-05T21:30:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42706"
    },
    {
      "type": "WEB",
      "url": "https://downloads.asterisk.org/pub/security/AST-2022-009.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00029.html"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2023/dsa-5358"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

var-202212-0244

Vulnerability from variot

Debian Security Advisory DSA-5358-1 security@debian.org https://www.debian.org/security/ Markus Koschany February 23, 2023 https://www.debian.org/security/faq

Package : asterisk CVE ID : CVE-2022-23537 CVE-2022-23547 CVE-2022-31031 CVE-2022-37325 CVE-2022-39244 CVE-2022-39269 CVE-2022-42705 CVE-2022-42706

Multiple security vulnerabilities have been discovered in Asterisk, an Open Source Private Branch Exchange. Buffer overflows and other programming errors could be exploited for launching a denial of service attack or the execution of arbitrary code.

For the stable distribution (bullseye), these problems have been fixed in version 1:16.28.0~dfsg-0+deb11u2.

We recommend that you upgrade your asterisk packages.

For the detailed security status of asterisk please refer to its security tracker page at: https://security-tracker.debian.org/tracker/asterisk

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmP3LTtfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeQLpw/8CshgHqfiBn5zx4yxf0mmnHaeXDpDmebNz0MLPJQOBHLn6IBFyAu+TpM5 o9CgBlgTx6LdXToik+0QQtG50EnCp+2gPQ+dalY7lHswTfdwqIrMIM8NUwtOo9ut DUUptPBTbUVDICh/OZfiNE3EfxAJ5Z6ktoqC/L8IqCx/S1ZwbdQJSVXAAQJJUVyT syXDNHpoYqehm6p0JKOAbYkROnCKyvfhrtu9clZgUx0lhlxGRpAMspO15mUTyxqR xLwsWAqWyfPXTZBpa6Ym8Aa8vQeDrvk3QakigvhnYHxhz51eJiH8WcsIzh2NQLW0 CsJHYx+Hq3rVUHpIWvPyR00HeKfGNu4pYzXS8RAhuKricEgxNWEQKWxYO76+xrWt avZ1ebREYG2+6AcneB3ceSCPNEg3YeySmf5RyFYy+3s307OsA8/kbSwzsi4lmBZe 1+bqDZvcb76dEz2d5bFaC9qJ3EUX3C19B4mo/bi+IW4s8YypZZX3OpmH5jCkIFKF XiEmuDj3rtrDYSzQgSCKgflXQIv63UsUn3NbZk2KIkQTZRpBfT8p5M7DWwozOCbO 9CN6gsjkM/H+YT2FfEdXMsqw7H6tl3wv1HUIj9dDaAYfxfnHGMfe3jeSBA84Ql1J +NrQctHyDGHo5WcU4ThMNawTuz+FUn/MHb4+ycyP8TjZa/RHX4M=HsMO -----END PGP SIGNATURE-----

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-202212-0244",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "asterisk",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "sangoma",
        "version": "17.0.0"
      },
      {
        "model": "certified asterisk",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "sangoma",
        "version": "18.9"
      },
      {
        "model": "certified asterisk",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "sangoma",
        "version": "18.9"
      },
      {
        "model": "asterisk",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "sangoma",
        "version": "20.0.0"
      },
      {
        "model": "asterisk",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "sangoma",
        "version": "18.15.1"
      },
      {
        "model": "asterisk",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "sangoma",
        "version": "19.7.1"
      },
      {
        "model": "asterisk",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "sangoma",
        "version": "16.0.0"
      },
      {
        "model": "asterisk",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "sangoma",
        "version": "19.0.0"
      },
      {
        "model": "asterisk",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "sangoma",
        "version": "16.29.1"
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2022-42706"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Debian",
    "sources": [
      {
        "db": "PACKETSTORM",
        "id": "171105"
      }
    ],
    "trust": 0.1
  },
  "cve": "CVE-2022-42706",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "nvd@nist.gov",
            "availabilityImpact": "NONE",
            "baseScore": 4.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 1.2,
            "id": "CVE-2022-42706",
            "impactScore": 3.6,
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "trust": 1.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        ],
        "severity": [
          {
            "author": "nvd@nist.gov",
            "id": "CVE-2022-42706",
            "trust": 1.0,
            "value": "MEDIUM"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-202212-2080",
            "trust": 0.6,
            "value": "MEDIUM"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202212-2080"
      },
      {
        "db": "NVD",
        "id": "CVE-2022-42706"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "An issue was discovered in Sangoma Asterisk through 16.28, 17 and 18 through 18.14, 19 through 19.6, and certified through 18.9-cert1. GetConfig, via Asterisk Manager Interface, allows a connected application to access files outside of the asterisk configuration directory, aka Directory Traversal. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA512\n\n- -------------------------------------------------------------------------\nDebian Security Advisory DSA-5358-1                   security@debian.org\nhttps://www.debian.org/security/                          Markus Koschany\nFebruary 23, 2023                     https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage        : asterisk\nCVE ID         : CVE-2022-23537 CVE-2022-23547 CVE-2022-31031 CVE-2022-37325\n                 CVE-2022-39244 CVE-2022-39269 CVE-2022-42705 CVE-2022-42706\n\nMultiple security vulnerabilities have been discovered in Asterisk, an Open\nSource Private Branch Exchange. Buffer overflows and other programming errors\ncould be exploited for launching a denial of service attack or the execution of\narbitrary code. \n\nFor the stable distribution (bullseye), these problems have been fixed in\nversion 1:16.28.0~dfsg-0+deb11u2. \n\nWe recommend that you upgrade your asterisk packages. \n\nFor the detailed security status of asterisk please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/asterisk\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n-----BEGIN PGP SIGNATURE-----\n\niQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmP3LTtfFIAAAAAALgAo\naXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD\nRjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7\nUeQLpw/8CshgHqfiBn5zx4yxf0mmnHaeXDpDmebNz0MLPJQOBHLn6IBFyAu+TpM5\no9CgBlgTx6LdXToik+0QQtG50EnCp+2gPQ+dalY7lHswTfdwqIrMIM8NUwtOo9ut\nDUUptPBTbUVDICh/OZfiNE3EfxAJ5Z6ktoqC/L8IqCx/S1ZwbdQJSVXAAQJJUVyT\nsyXDNHpoYqehm6p0JKOAbYkROnCKyvfhrtu9clZgUx0lhlxGRpAMspO15mUTyxqR\nxLwsWAqWyfPXTZBpa6Ym8Aa8vQeDrvk3QakigvhnYHxhz51eJiH8WcsIzh2NQLW0\nCsJHYx+Hq3rVUHpIWvPyR00HeKfGNu4pYzXS8RAhuKricEgxNWEQKWxYO76+xrWt\navZ1ebREYG2+6AcneB3ceSCPNEg3YeySmf5RyFYy+3s307OsA8/kbSwzsi4lmBZe\n1+bqDZvcb76dEz2d5bFaC9qJ3EUX3C19B4mo/bi+IW4s8YypZZX3OpmH5jCkIFKF\nXiEmuDj3rtrDYSzQgSCKgflXQIv63UsUn3NbZk2KIkQTZRpBfT8p5M7DWwozOCbO\n9CN6gsjkM/H+YT2FfEdXMsqw7H6tl3wv1HUIj9dDaAYfxfnHGMfe3jeSBA84Ql1J\n+NrQctHyDGHo5WcU4ThMNawTuz+FUn/MHb4+ycyP8TjZa/RHX4M=HsMO\n-----END PGP SIGNATURE-----\n",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2022-42706"
      },
      {
        "db": "PACKETSTORM",
        "id": "171105"
      }
    ],
    "trust": 0.99
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2022-42706",
        "trust": 1.7
      },
      {
        "db": "AUSCERT",
        "id": "ESB-2022.6289",
        "trust": 0.6
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202212-2080",
        "trust": 0.6
      },
      {
        "db": "PACKETSTORM",
        "id": "171105",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "PACKETSTORM",
        "id": "171105"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202212-2080"
      },
      {
        "db": "NVD",
        "id": "CVE-2022-42706"
      }
    ]
  },
  "id": "VAR-202212-0244",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "VARIoT devices database",
        "id": null
      }
    ],
    "trust": 0.75
  },
  "last_update_date": "2024-08-14T13:14:33.671000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "Asterisk Repair measures for path traversal vulnerabilities",
        "trust": 0.6,
        "url": "http://123.124.177.30/web/xxk/bdxqById.tag?id=216715"
      }
    ],
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202212-2080"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-22",
        "trust": 1.0
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2022-42706"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 1.6,
        "url": "https://downloads.asterisk.org/pub/security/ast-2022-009.html"
      },
      {
        "trust": 1.6,
        "url": "https://www.debian.org/security/2023/dsa-5358"
      },
      {
        "trust": 1.6,
        "url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00029.html"
      },
      {
        "trust": 0.6,
        "url": "https://vigilance.fr/vulnerability/asterisk-open-source-directory-traversal-via-getconfig-ami-actio-40002"
      },
      {
        "trust": 0.6,
        "url": "https://cxsecurity.com/cveshow/cve-2022-42706/"
      },
      {
        "trust": 0.6,
        "url": "https://www.auscert.org.au/bulletins/esb-2022.6289"
      },
      {
        "trust": 0.1,
        "url": "https://www.debian.org/security/"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2022-23547"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2022-31031"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2022-37325"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2022-39244"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2022-39269"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2022-42705"
      },
      {
        "trust": 0.1,
        "url": "https://www.debian.org/security/faq"
      },
      {
        "trust": 0.1,
        "url": "https://security-tracker.debian.org/tracker/asterisk"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2022-42706"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2022-23537"
      }
    ],
    "sources": [
      {
        "db": "PACKETSTORM",
        "id": "171105"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202212-2080"
      },
      {
        "db": "NVD",
        "id": "CVE-2022-42706"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "PACKETSTORM",
        "id": "171105"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202212-2080"
      },
      {
        "db": "NVD",
        "id": "CVE-2022-42706"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2023-02-23T16:33:14",
        "db": "PACKETSTORM",
        "id": "171105"
      },
      {
        "date": "2022-12-02T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202212-2080"
      },
      {
        "date": "2022-12-05T21:15:10.227000",
        "db": "NVD",
        "id": "CVE-2022-42706"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2023-02-27T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202212-2080"
      },
      {
        "date": "2023-02-24T00:15:12.133000",
        "db": "NVD",
        "id": "CVE-2022-42706"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202212-2080"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Asterisk Path traversal vulnerability",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202212-2080"
      }
    ],
    "trust": 0.6
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "path traversal",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202212-2080"
      }
    ],
    "trust": 0.6
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2022-42706

Vulnerability from cvelistv5

fkie_cve-2022-42706

Vulnerability from fkie_nvd

WID-SEC-W-2022-2218

Vulnerability from csaf_certbund

wid-sec-w-2022-2218

Vulnerability from csaf_certbund

gsd-2022-42706

Vulnerability from gsd

ghsa-phq9-6f4r-97wc

Vulnerability from github

var-202212-0244

Vulnerability from variot

Tags

Sightings

Nomenclature