CVE-2010-1224 — Asterisk vulnerability

CWE-2644 documents4 sources

Severity

4.3MEDIUMNVD

EPSS

1.0%

top 22.98%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Digium Asterisk Debian Asterisk

Timeline

PublishedApr 1

Latest updateMay 2

Description

main/acl.c in Asterisk Open Source 1.6.0.x before 1.6.0.25, 1.6.1.x before 1.6.1.17, and 1.6.2.x before 1.6.2.5 does not properly enforce remote host access controls when CIDR notation "/0" is used in permit= and deny= configuration rules, which causes an improper arithmetic shift and might allow remote attackers to bypass ACL rules and access services from unauthorized hosts.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages3 packages

▶debiandebian/asterisk< asterisk 1:1.6.2.6-1 (bullseye)

▶Debiandigium/asterisk< 1:1.6.2.6-1

▶NVDdigium/asterisk44 versions+43

Patches

Patch: downloads.asterisk.org ↗Patch: downloads.asterisk.org ↗

🔴Vulnerability Details

GHSA

GHSA-97m6-wvfm-vj4p: main/acl↗2022-05-02

▶

OSV

CVE-2010-1224: main/acl↗2010-04-01

▶

📋Vendor Advisories

Debian

CVE-2010-1224: asterisk - main/acl.c in Asterisk Open Source 1.6.0.x before 1.6.0.25, 1.6.1.x before 1.6.1...↗2010

▶