CVE-2022-26651
published 2022-04-15CVE-2022-26651: An issue was discovered in Asterisk through 19.x and Certified Asterisk through 16.8-cert13. The func_odbc module provides possibly inadequate escaping…
PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
6.60%
93.0th percentile
An issue was discovered in Asterisk through 19.x and Certified Asterisk through 16.8-cert13. The func_odbc module provides possibly inadequate escaping functionality for backslash characters in SQL queries, resulting in user-provided data creating a broken SQL query or possibly a SQL injection. This is fixed in 16.25.2, 18.11.2, and 19.3.2, and 16.8-cert14.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | asterisk | < asterisk 1:16.28.0~dfsg-0+deb11u1 (bullseye) | asterisk 1:16.28.0~dfsg-0+deb11u1 (bullseye) |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| digium | asterisk | >= 0 < 1:16.28.0~dfsg-0+deb11u1 | 1:16.28.0~dfsg-0+deb11u1 |
| digium | asterisk | >= 16.0.0 < 16.25.2 | 16.25.2 |
| digium | asterisk | >= 18.0 < 18.11.2 | 18.11.2 |
| digium | asterisk | >= 19.0.0 < 19.3.2 | 19.3.2 |
| digium | certified_asterisk | — | — |
| linux | linux_kernel | >= 0 < 4.4.0-259.293 | 4.4.0-259.293 |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability resides in the func_odbc module of Asterisk; monitor or audit use of this module for anomalous SQL query patterns, particularly those involving unescaped backslash characters in user-supplied data passed to ODBC SQL queries. ↗
- ·Affected versions are Asterisk through 19.x and Certified Asterisk through 16.8-cert13. Fixed versions are 16.25.2, 18.11.2, 19.3.2, and 16.8-cert14 — verify the deployed Asterisk version is patched. ↗
- ·The vulnerability is exploitable via user-provided data reaching func_odbc SQL queries; any Asterisk deployment using func_odbc with user-controlled input and an ODBC backend should be treated as at risk until patched. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2022-26651: asterisk - An issue was discovered in Asterisk through 19.x and Certified Asterisk through ...
vendor_debian·2022·CVSS 9.8
CVE-2022-26651 [CRITICAL] CVE-2022-26651: asterisk - An issue was discovered in Asterisk through 19.x and Certified Asterisk through ...
An issue was discovered in Asterisk through 19.x and Certified Asterisk through 16.8-cert13. The func_odbc module provides possibly inadequate escaping functionality for backslash characters in SQL queries, resulting in user-provided data creating a broken SQL query or possibly a SQL injection. This is fixed in 16.25.2, 18.11.2, and 19.3.2, and 16.8-cert14.
Scope: local
bullseye: resolved (fixed in 1:16.28.0~dfsg-0+deb11u1)
sid: resolved (fixed in 1:18.11.2~dfsg+~cs6.10.40431413-1)
VulDB
Digium Asterisk/Certified Asterisk up to 16.8-cert13/16.25.1/18.11.1/19.3.1 func_odbc sql injection (AST-2022-003 / EUVD-2022-31204)
vuldb·2026-05-10·CVSS 9.8
CVE-2022-26651 [CRITICAL] Digium Asterisk/Certified Asterisk up to 16.8-cert13/16.25.1/18.11.1/19.3.1 func_odbc sql injection (AST-2022-003 / EUVD-2022-31204)
A vulnerability was found in Digium Asterisk and Certified Asterisk up to 16.8-cert13/16.25.1/18.11.1/19.3.1 and classified as critical. This issue affects the function func_odbc. Such manipulation leads to sql injection.
This vulnerability is uniquely identified as CVE-2022-26651. The attack can be launched remotely. No exploit exists.
It is suggested to upgrade the affected component.
OSV
linux, linux-aws, linux-kvm, linux-lts-xenial vulnerabilities
osv·2024-09-26·CVSS 5.5
linux, linux-aws, linux-kvm, linux-lts-xenial vulnerabilities
linux, linux-aws, linux-kvm, linux-lts-xenial vulnerabilities
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- GPU drivers;
- Input Device (Tablet) drivers;
- Modular ISDN driver;
- Multiple devices driver;
- Network drivers;
- Near Field Communication (NFC) drivers;
- SCSI drivers;
- GCT GDM724x LTE driver;
- USB subsystem;
- VFIO drivers;
- GFS2 file system;
- JFS file system;
- NILFS2 file system;
- Networking core;
- IPv4 networking;
- L2TP protocol;
- Netfilter;
- RxRPC session sockets;
(CVE-2024-26651, CVE-2024-38583, CVE-2023-52527, CVE-2024-26880,
CVE-2022-48850, CVE-2024-26733, CVE-2021-47188, CVE-2024-42154,
CVE-2023-52809, CVE-2024-42228, CVE-2022
GHSA
GHSA-6pcv-f66p-pqqj: An issue was discovered in Asterisk through 19
ghsa_unreviewed·2022-04-16
CVE-2022-26651 [CRITICAL] CWE-89 GHSA-6pcv-f66p-pqqj: An issue was discovered in Asterisk through 19
An issue was discovered in Asterisk through 19.x and Certified Asterisk through 16.8-cert13. The func_odbc module provides possibly inadequate escaping functionality for backslash characters in SQL queries, resulting in user-provided data creating a broken SQL query or possibly a SQL injection. This is fixed in 16.25.2, 18.11.2, and 19.3.2, and 16.8-cert14.
OSV
CVE-2022-26651: An issue was discovered in Asterisk through 19
osv·2022-04-15·CVSS 9.8
CVE-2022-26651 [CRITICAL] CVE-2022-26651: An issue was discovered in Asterisk through 19
An issue was discovered in Asterisk through 19.x and Certified Asterisk through 16.8-cert13. The func_odbc module provides possibly inadequate escaping functionality for backslash characters in SQL queries, resulting in user-provided data creating a broken SQL query or possibly a SQL injection. This is fixed in 16.25.2, 18.11.2, and 19.3.2, and 16.8-cert14.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2022-26498 CVE-2022-26499 CVE-2022-26651 asterisk: multiple vulnerabilities [epel-all]
bugzilla·2022-04-18·CVSS 7.5
CVE-2022-26498 [HIGH] CVE-2022-26498 CVE-2022-26499 CVE-2022-26651 asterisk: multiple vulnerabilities [epel-all]
CVE-2022-26498 CVE-2022-26499 CVE-2022-26651 asterisk: multiple vulnerabilities [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple support
Bugzilla
CVE-2022-26498 CVE-2022-26499 CVE-2022-26651 asterisk: multiple vulnerabilities [fedora-all]
bugzilla·2022-04-18·CVSS 7.5
CVE-2022-26498 [HIGH] CVE-2022-26498 CVE-2022-26499 CVE-2022-26651 asterisk: multiple vulnerabilities [fedora-all]
CVE-2022-26498 CVE-2022-26499 CVE-2022-26651 asterisk: multiple vulnerabilities [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple sup
http://packetstormsecurity.com/files/166746/Asterisk-Project-Security-Advisory-AST-2022-003.htmlhttps://downloads.asterisk.org/pub/security/https://downloads.asterisk.org/pub/security/AST-2022-003.htmlhttps://lists.debian.org/debian-lts-announce/2022/11/msg00021.htmlhttps://www.debian.org/security/2022/dsa-5285http://packetstormsecurity.com/files/166746/Asterisk-Project-Security-Advisory-AST-2022-003.htmlhttps://downloads.asterisk.org/pub/security/https://downloads.asterisk.org/pub/security/AST-2022-003.htmlhttps://lists.debian.org/debian-lts-announce/2022/11/msg00021.htmlhttps://www.debian.org/security/2022/dsa-5285
2022-04-15
Published