CVE-2010-0685Asterisk vulnerability

4 documents4 sources
Severity
5.0MEDIUMNVD
EPSS
0.1%
top 76.36%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Digium AsteriskDebian Asterisk
Timeline
PublishedFeb 23
Latest updateMay 2

Description

The design of the dialplan functionality in Asterisk Open Source 1.2.x, 1.4.x, and 1.6.x; and Asterisk Business Edition B.x.x and C.x.x, when using the ${EXTEN} channel variable and wildcard pattern matches, allows context-dependent attackers to inject strings into the dialplan using metacharacters that are injected when the variable is expanded, as demonstrated using the Dial application to process a crafted SIP INVITE message that adds an unintended outgoing channel leg. NOTE: it could be argu

CVSS vector

AV:N/AC:L/C:N/I:P/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages3 packages

debiandebian/asterisk< asterisk 1:1.6.2.6-1 (bullseye)
Debiandigium/asterisk< 1:1.6.2.6-1
NVDdigium/asterisk97 versions+96

🔴Vulnerability Details

2
GHSA
GHSA-2w2c-jqh6-rwvr: The design of the dialplan functionality in Asterisk Open Source 12022-05-02
OSV
CVE-2010-0685: The design of the dialplan functionality in Asterisk Open Source 12010-02-23

📋Vendor Advisories

1
Debian
CVE-2010-0685: asterisk - The design of the dialplan functionality in Asterisk Open Source 1.2.x, 1.4.x, a...2010