CVE-2008-1390 — Asterisk vulnerability

CWE-2556 documents6 sources

Severity

9.3CRITICALNVD

EPSS

3.0%

top 13.38%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Asterisk Debian Asterisk Asterisk Appliance Developer KIT +3 more

Timeline

PublishedMar 24

Latest updateMay 1

Description

The AsteriskGUI HTTP server in Asterisk Open Source 1.4.x before 1.4.19-rc3 and 1.6.x before 1.6.0-beta6, Business Edition C.x.x before C.1.6, AsteriskNOW before 1.0.2, Appliance Developer Kit before revision 104704, and s800i 1.0.x before 1.1.0.2 generates insufficiently random manager ID values, which makes it easier for remote attackers to hijack a manager session via a series of ID guesses.

CVSS vector

AV:N/AC:M/C:C/I:C/A:CExploitability: 8.6 | Impact: 10.0

Affected Packages7 packages

▶NVDasterisk/asterisk_business_editionc.1.0-beta7, c.1.0-beta8+1

▶NVDasterisk/asterisk_appliance_developer_kit8 versions+7

▶NVDasterisk/s800i5 versions+4

▶NVDasterisk/asterisknow4 versions+3

▶debiandebian/asterisk< asterisk 1:1.4.19.1~dfsg-1 (bullseye)

🔴Vulnerability Details

GHSA

GHSA-4h7j-rpcg-6w8h: The AsteriskGUI HTTP server in Asterisk Open Source 1↗2022-05-01

▶

OSV

CVE-2008-1390: The AsteriskGUI HTTP server in Asterisk Open Source 1↗2008-03-24

▶

📋Vendor Advisories

Debian

CVE-2008-1390: asterisk - The AsteriskGUI HTTP server in Asterisk Open Source 1.4.x before 1.4.19-rc3 and ...↗2008

▶

Red Hat

asterisk: HTTP Manager ID is predictable (AST-2008-005)↗

▶

💬Community

Bugzilla

CVE-2008-1390 asterisk: HTTP Manager ID is predictable (AST-2008-005)↗2008-03-19

▶