CVE-2012-4737 — Asterisk vulnerability

CWE-2648 documents5 sources

Severity

6.0MEDIUMNVD

EPSS

1.5%

top 18.80%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Digium Asterisk Debian Asterisk Digium Certified Asterisk

Timeline

PublishedAug 31

Latest updateMay 17

Description

channels/chan_iax2.c in Asterisk Open Source 1.8.x before 1.8.15.1 and 10.x before 10.7.1, Certified Asterisk 1.8.11 before 1.8.11-cert7, Asterisk Digiumphones 10.x.x-digiumphones before 10.7.1-digiumphones, and Asterisk Business Edition C.3.x before C.3.7.6 does not enforce ACL rules during certain uses of peer credentials, which allows remote authenticated users to bypass intended outbound-call restrictions by leveraging the availability of these credentials.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 6.8 | Impact: 6.4

Affected Packages4 packages

▶NVDdigium/certified_asterisk1.8.11

▶debiandebian/asterisk< asterisk 1:1.8.13.1~dfsg-1 (bullseye)

▶Debiandigium/asterisk< 1:1.8.13.1~dfsg-1

▶NVDdigium/asterisk70 versions+69

🔴Vulnerability Details

GHSA

GHSA-5hf4-mrr5-f9rh: channels/chan_iax2↗2022-05-17

▶

OSV

CVE-2012-4737: channels/chan_iax2↗2012-08-31

▶

📋Vendor Advisories

Debian

CVE-2012-4737: asterisk - channels/chan_iax2.c in Asterisk Open Source 1.8.x before 1.8.15.1 and 10.x befo...↗2012

▶

💬Community

Bugzilla

CVE-2012-4737 Asterisk: ACL rules ignored when placing outbound calls by certain IAX2 users [fedora-16]↗2012-08-31

▶

Bugzilla

CVE-2012-4737 Asterisk: ACL rules ignored when placing outbound calls by certain IAX2 users [fedora-17]↗2012-08-31

▶

Bugzilla

CVE-2012-4737 Asterisk: ACL rules ignored when placing outbound calls by certain IAX2 users [epel-6]↗2012-08-31

▶

Bugzilla

CVE-2012-4737 Asterisk: ACL rules ignored when placing outbound calls by certain IAX2 users↗2012-08-31

▶