CVE-2011-1599 — Improper Input Validation in Asterisk

CWE-20 — Improper Input Validation7 documents5 sources

Severity

9.0CRITICALNVD

EPSS

0.3%

top 43.35%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Digium Asterisk Debian Asterisk

Timeline

PublishedApr 27

Latest updateMay 17

Description

manager.c in the Manager Interface in Asterisk Open Source 1.4.x before 1.4.40.1, 1.6.1.x before 1.6.1.25, 1.6.2.x before 1.6.2.17.3, and 1.8.x before 1.8.3.3 and Asterisk Business Edition C.x.x before C.3.6.4 does not properly check for the system privilege, which allows remote authenticated users to execute arbitrary commands via an Originate action that has an Async header in conjunction with an Application header.

CVSS vector

AV:N/AC:L/C:C/I:C/A:CExploitability: 8.0 | Impact: 10.0

Affected Packages3 packages

▶debiandebian/asterisk< asterisk 1:1.8.3.3-1 (bullseye)

▶Debiandigium/asterisk< 1:1.8.3.3-1

▶NVDdigium/asterisk123 versions+122

🔴Vulnerability Details

GHSA

GHSA-9qp8-qmr4-5hp8: manager↗2022-05-17

▶

OSV

CVE-2011-1599: manager↗2011-04-27

▶

📋Vendor Advisories

Debian

CVE-2011-1599: asterisk - manager.c in the Manager Interface in Asterisk Open Source 1.4.x before 1.4.40.1...↗2011

▶

💬Community

Bugzilla

CVE-2011-1507 CVE-2011-1599 asterisk various flaws [epel-6]↗2011-04-22

▶

Bugzilla

CVE-2011-1599 Asterisk: Shell command execution via manager Originate action (AST-2011-006)↗2011-04-22

▶

Bugzilla

CVE-2011-1507 CVE-2011-1599 asterisk various flaws [fedora-all]↗2011-04-22

▶