CVE-2012-2414 — Improper Authentication in Asterisk

CWE-287 — Improper Authentication8 documents5 sources

Severity

6.5MEDIUMNVD

EPSS

4.3%

top 11.15%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Asterisk Asterisk Open Source

Timeline

PublishedApr 30

Latest updateMay 17

Description

main/manager.c in the Manager Interface in Asterisk Open Source 1.6.2.x before 1.6.2.24, 1.8.x before 1.8.11.1, and 10.x before 10.3.1 and Asterisk Business Edition C.3.x before C.3.7.4 does not properly enforce System class authorization requirements, which allows remote authenticated users to execute arbitrary commands via (1) the originate action in the MixMonitor application, (2) the SHELL and EVAL functions in the GetVar manager action, or (3) the SHELL and EVAL functions in the Status mana…

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 8.0 | Impact: 6.4

Affected Packages2 packages

▶NVDasterisk/open_source75 versions+74

▶debiandebian/asterisk< asterisk 1:1.8.11.1~dfsg-1 (bullseye)

Patches

Patch: downloads.asterisk.org ↗Patch: downloads.asterisk.org ↗

🔴Vulnerability Details

GHSA

GHSA-7g5f-32j4-ffm7: main/manager↗2022-05-17

▶

OSV

CVE-2012-2414: main/manager↗2012-04-30

▶

📋Vendor Advisories

Debian

CVE-2012-2414: asterisk - main/manager.c in the Manager Interface in Asterisk Open Source 1.6.2.x before 1...↗2012

▶

💬Community

Bugzilla

CVE-2012-2662 Certificate System: multiple XSS flaws↗2012-05-30

▶

Bugzilla

CVE-2012-2414 CVE-2012-2415 CVE-2012-2416 asterisk various flaws [fedora-all]↗2012-04-24

▶

Bugzilla

CVE-2012-2414 CVE-2012-2415 CVE-2012-2416 asterisk various flaws [epel-6]↗2012-04-24

▶

Bugzilla

CVE-2012-2414 asterisk: Asterisk Manager Interface unauthorized shell access (AST-2012-004)↗2012-04-24

▶