CVE-2008-1390
published 2008-03-24CVE-2008-1390: The AsteriskGUI HTTP server in Asterisk Open Source 1.4.x before 1.4.19-rc3 and 1.6.x before 1.6.0-beta6, Business Edition C.x.x before C.1.6, AsteriskNOW…
PriorityP339critical9.3CVSS 2.0
AVNACMAuNCCICAC
EPSS
3.84%
88.8th percentile
The AsteriskGUI HTTP server in Asterisk Open Source 1.4.x before 1.4.19-rc3 and 1.6.x before 1.6.0-beta6, Business Edition C.x.x before C.1.6, AsteriskNOW before 1.0.2, Appliance Developer Kit before revision 104704, and s800i 1.0.x before 1.1.0.2 generates insufficiently random manager ID values, which makes it easier for remote attackers to hijack a manager session via a series of ID guesses.
Affected
42 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| asterisk | asterisk | — | — |
| asterisk | asterisk | — | — |
| asterisk | asterisk | — | — |
| asterisk | asterisk | — | — |
| asterisk | asterisk | — | — |
| asterisk | asterisk | — | — |
| asterisk | asterisk | — | — |
| asterisk | asterisk | — | — |
| asterisk | asterisk | — | — |
| asterisk | asterisk | — | — |
| asterisk | asterisk | — | — |
| asterisk | asterisk | — | — |
| asterisk | asterisk | — | — |
| asterisk | asterisk | — | — |
| asterisk | asterisk | — | — |
| asterisk | asterisk | — | — |
| asterisk | asterisk | — | — |
| asterisk | asterisk | — | — |
| asterisk | asterisk | — | — |
| asterisk | asterisk | — | — |
| asterisk | asterisk | — | — |
| asterisk | asterisk | >= 0 < 1:1.4.19.1~dfsg-1 | 1:1.4.19.1~dfsg-1 |
| asterisk | asterisk_appliance_developer_kit | — | — |
| asterisk | asterisk_appliance_developer_kit | — | — |
| asterisk | asterisk_appliance_developer_kit | — | — |
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv9.3CRITICAL
vendor_debian9.3LOW
vendor_redhat9.3CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2008-1390: asterisk - The AsteriskGUI HTTP server in Asterisk Open Source 1.4.x before 1.4.19-rc3 and ...
vendor_debian·2008·CVSS 9.3
CVE-2008-1390 [CRITICAL] CVE-2008-1390: asterisk - The AsteriskGUI HTTP server in Asterisk Open Source 1.4.x before 1.4.19-rc3 and ...
The AsteriskGUI HTTP server in Asterisk Open Source 1.4.x before 1.4.19-rc3 and 1.6.x before 1.6.0-beta6, Business Edition C.x.x before C.1.6, AsteriskNOW before 1.0.2, Appliance Developer Kit before revision 104704, and s800i 1.0.x before 1.1.0.2 generates insufficiently random manager ID values, which makes it easier for remote attackers to hijack a manager session via a series of ID guesses.
Scope: local
bullseye: resolved (fixed in 1:1.4.19.1~dfsg-1)
sid: resolved (fixed in 1:1.4.19.1~dfsg-1)
Red Hat
asterisk: HTTP Manager ID is predictable (AST-2008-005)
vendor_redhat·CVSS 9.3
CVE-2008-1390 [CRITICAL] asterisk: HTTP Manager ID is predictable (AST-2008-005)
asterisk: HTTP Manager ID is predictable (AST-2008-005)
The AsteriskGUI HTTP server in Asterisk Open Source 1.4.x before 1.4.19-rc3 and 1.6.x before 1.6.0-beta6, Business Edition C.x.x before C.1.6, AsteriskNOW before 1.0.2, Appliance Developer Kit before revision 104704, and s800i 1.0.x before 1.1.0.2 generates insufficiently random manager ID values, which makes it easier for remote attackers to hijack a manager session via a series of ID guesses.
GHSA
GHSA-4h7j-rpcg-6w8h: The AsteriskGUI HTTP server in Asterisk Open Source 1
ghsa_unreviewed·2022-05-01
CVE-2008-1390 [HIGH] GHSA-4h7j-rpcg-6w8h: The AsteriskGUI HTTP server in Asterisk Open Source 1
The AsteriskGUI HTTP server in Asterisk Open Source 1.4.x before 1.4.19-rc3 and 1.6.x before 1.6.0-beta6, Business Edition C.x.x before C.1.6, AsteriskNOW before 1.0.2, Appliance Developer Kit before revision 104704, and s800i 1.0.x before 1.1.0.2 generates insufficiently random manager ID values, which makes it easier for remote attackers to hijack a manager session via a series of ID guesses.
OSV
CVE-2008-1390: The AsteriskGUI HTTP server in Asterisk Open Source 1
osv·2008-03-24·CVSS 9.3
CVE-2008-1390 [CRITICAL] CVE-2008-1390: The AsteriskGUI HTTP server in Asterisk Open Source 1
The AsteriskGUI HTTP server in Asterisk Open Source 1.4.x before 1.4.19-rc3 and 1.6.x before 1.6.0-beta6, Business Edition C.x.x before C.1.6, AsteriskNOW before 1.0.2, Appliance Developer Kit before revision 104704, and s800i 1.0.x before 1.1.0.2 generates insufficiently random manager ID values, which makes it easier for remote attackers to hijack a manager session via a series of ID guesses.
No detection rules found.
No public exploits indexed.
http://downloads.digium.com/pub/security/AST-2008-005.htmlhttp://secunia.com/advisories/29449http://secunia.com/advisories/29470http://securityreason.com/securityalert/3764http://www.securityfocus.com/archive/1/489819/100/0/threadedhttp://www.securityfocus.com/bid/28316http://www.securitytracker.com/id?1019679https://exchange.xforce.ibmcloud.com/vulnerabilities/41304https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00438.htmlhttps://www.redhat.com/archives/fedora-package-announce/2008-March/msg00514.htmlhttp://downloads.digium.com/pub/security/AST-2008-005.htmlhttp://secunia.com/advisories/29449http://secunia.com/advisories/29470http://securityreason.com/securityalert/3764http://www.securityfocus.com/archive/1/489819/100/0/threadedhttp://www.securityfocus.com/bid/28316http://www.securitytracker.com/id?1019679https://exchange.xforce.ibmcloud.com/vulnerabilities/41304https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00438.htmlhttps://www.redhat.com/archives/fedora-package-announce/2008-March/msg00514.html
2008-03-24
Published