CVE-2014-8412 — Asterisk vulnerability

CWE-2645 documents5 sources

Severity

5.0MEDIUMNVD

EPSS

0.6%

top 30.59%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Digium Asterisk Debian Asterisk Digium Certified Asterisk

Timeline

PublishedNov 24

Latest updateMay 14

Description

The (1) VoIP channel drivers, (2) DUNDi, and (3) Asterisk Manager Interface (AMI) in Asterisk Open Source 1.8.x before 1.8.32.1, 11.x before 11.14.1, 12.x before 12.7.1, and 13.x before 13.0.1 and Certified Asterisk 1.8.28 before 1.8.28-cert3 and 11.6 before 11.6-cert8 allows remote attackers to bypass the ACL restrictions via a packet with a source IP that does not share the address family as the first ACL entry.

CVSS vector

AV:N/AC:L/C:N/I:P/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages4 packages

▶NVDdigium/certified_asterisk4 versions+3

▶NVDdigium/asterisk1.8.0 — 1.8.32.1+3

▶debiandebian/asterisk< asterisk 1:13.1.0~dfsg-1 (bullseye)

▶Debiandigium/asterisk< 1:13.1.0~dfsg-1

🔴Vulnerability Details

GHSA

GHSA-hr4p-r869-mq9r: The (1) VoIP channel drivers, (2) DUNDi, and (3) Asterisk Manager Interface (AMI) in Asterisk Open Source 1↗2022-05-14

▶

OSV

CVE-2014-8412: The (1) VoIP channel drivers, (2) DUNDi, and (3) Asterisk Manager Interface (AMI) in Asterisk Open Source 1↗2014-11-24

▶

📋Vendor Advisories

Debian

CVE-2014-8412: asterisk - The (1) VoIP channel drivers, (2) DUNDi, and (3) Asterisk Manager Interface (AMI...↗2014

▶

💬Community

Bugzilla

CVE-2014-8412 asterisk: Mixed IP address families in access control lists may permit unwanted traffic [AST-2014-012]↗2014-11-21

▶