cbcvebase.
CVE-2022-26651
published 2022-04-15

CVE-2022-26651: An issue was discovered in Asterisk through 19.x and Certified Asterisk through 16.8-cert13. The func_odbc module provides possibly inadequate escaping…

PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
6.60%
93.0th percentile
An issue was discovered in Asterisk through 19.x and Certified Asterisk through 16.8-cert13. The func_odbc module provides possibly inadequate escaping functionality for backslash characters in SQL queries, resulting in user-provided data creating a broken SQL query or possibly a SQL injection. This is fixed in 16.25.2, 18.11.2, and 19.3.2, and 16.8-cert14.

Affected

9 ranges
VendorProductVersion rangeFixed in
debianasterisk< asterisk 1:16.28.0~dfsg-0+deb11u1 (bullseye)asterisk 1:16.28.0~dfsg-0+deb11u1 (bullseye)
debiandebian_linux
debiandebian_linux
digiumasterisk>= 0 < 1:16.28.0~dfsg-0+deb11u11:16.28.0~dfsg-0+deb11u1
digiumasterisk>= 16.0.0 < 16.25.216.25.2
digiumasterisk>= 18.0 < 18.11.218.11.2
digiumasterisk>= 19.0.0 < 19.3.219.3.2
digiumcertified_asterisk
linuxlinux_kernel>= 0 < 4.4.0-259.2934.4.0-259.293

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability resides in the func_odbc module of Asterisk; monitor or audit use of this module for anomalous SQL query patterns, particularly those involving unescaped backslash characters in user-supplied data passed to ODBC SQL queries.
  • ·Affected versions are Asterisk through 19.x and Certified Asterisk through 16.8-cert13. Fixed versions are 16.25.2, 18.11.2, 19.3.2, and 16.8-cert14 — verify the deployed Asterisk version is patched.
  • ·The vulnerability is exploitable via user-provided data reaching func_odbc SQL queries; any Asterisk deployment using func_odbc with user-controlled input and an ODBC backend should be treated as at risk until patched.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.