CVE-2012-2186 — Asterisk vulnerability

8 documents5 sources

Severity

9.0CRITICALNVD

EPSS

0.5%

top 35.60%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Sangoma Asterisk Debian Asterisk Asterisk Business Edition +3 more

Timeline

PublishedAug 31

Latest updateMay 17

Description

Incomplete blacklist vulnerability in main/manager.c in Asterisk Open Source 1.8.x before 1.8.15.1 and 10.x before 10.7.1, Certified Asterisk 1.8.11 before 1.8.11-cert6, Asterisk Digiumphones 10.x.x-digiumphones before 10.7.1-digiumphones, and Asterisk Business Edition C.3.x before C.3.7.6 allows remote authenticated users to execute arbitrary commands by leveraging originate privileges and providing an ExternalIVR value in an AMI Originate action.

CVSS vector

AV:N/AC:L/C:C/I:C/A:CExploitability: 8.0 | Impact: 10.0

Affected Packages7 packages

▶NVDasterisk/digiumphones10.7.0

▶NVDasterisk/business_editionc.3.7.5+1

▶NVDasterisk/open_source50 versions+49

▶NVDasterisk/certified_asterisk1.8.11+1

▶debiandebian/asterisk< asterisk 1:1.8.13.1~dfsg-1 (bullseye)

Patches

Patch: downloads.asterisk.org ↗Patch: downloads.asterisk.org ↗

🔴Vulnerability Details

GHSA

GHSA-27ch-ccxg-45pf: Incomplete blacklist vulnerability in main/manager↗2022-05-17

▶

OSV

CVE-2012-2186: Incomplete blacklist vulnerability in main/manager↗2012-08-31

▶

📋Vendor Advisories

Debian

CVE-2012-2186: asterisk - Incomplete blacklist vulnerability in main/manager.c in Asterisk Open Source 1.8...↗2012

▶

💬Community

Bugzilla

CVE-2012-2186 Asterisk: Asterisk Manager User Unauthorized Shell Access↗2012-08-31

▶

Bugzilla

CVE-2012-2186 Asterisk: Asterisk Manager User Unauthorized Shell Access [epel-6]↗2012-08-31

▶

Bugzilla

CVE-2012-2186 Asterisk: Asterisk Manager User Unauthorized Shell Access [fedora-16]↗2012-08-31

▶

Bugzilla

CVE-2012-2186 Asterisk: Asterisk Manager User Unauthorized Shell Access [fedora-17]↗2012-08-31

▶