CVE-2024-57520
published 2025-02-05CVE-2024-57520: Insecure Permissions vulnerability in asterisk v22 allows a remote attacker to execute arbitrary code via the action_createconfig function. NOTE: this is…
PriorityP346critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.97%
57.5th percentile
Insecure Permissions vulnerability in asterisk v22 allows a remote attacker to execute arbitrary code via the action_createconfig function. NOTE: this is disputed by the Supplier because the impact is limited to creating empty files outside of the Asterisk product directory (aka directory traversal) and the attack can only be performed by a privileged user who has the ability to manage the configuration.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | asterisk | < asterisk 1:22.3.0~dfsg+~cs6.15.60671435-1 (sid) | asterisk 1:22.3.0~dfsg+~cs6.15.60671435-1 (sid) |
| sangoma | asterisk | 22.0.0 – 22.5.1 | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4m27-833c-75q4: Insecure Permissions vulnerability in asterisk v22 allows a remote attacker to execute arbitrary code via the action_createconfig function
ghsa_unreviewed·2025-02-06
CVE-2024-57520 [CRITICAL] CWE-732 GHSA-4m27-833c-75q4: Insecure Permissions vulnerability in asterisk v22 allows a remote attacker to execute arbitrary code via the action_createconfig function
Insecure Permissions vulnerability in asterisk v22 allows a remote attacker to execute arbitrary code via the action_createconfig function
OSV
CVE-2024-57520: Insecure Permissions vulnerability in asterisk v22 allows a remote attacker to execute arbitrary code via the action_createconfig function
osv·2025-02-05·CVSS 9.8
CVE-2024-57520 [CRITICAL] CVE-2024-57520: Insecure Permissions vulnerability in asterisk v22 allows a remote attacker to execute arbitrary code via the action_createconfig function
Insecure Permissions vulnerability in asterisk v22 allows a remote attacker to execute arbitrary code via the action_createconfig function. NOTE: this is disputed by the Supplier because the impact is limited to creating empty files outside of the Asterisk product directory (aka directory traversal) and the attack can only be performed by a privileged user who has the ability to manage the configuration.
Debian
CVE-2024-57520: asterisk - Insecure Permissions vulnerability in asterisk v22 allows a remote attacker to e...
vendor_debian·2024·CVSS 9.8
CVE-2024-57520 [CRITICAL] CVE-2024-57520: asterisk - Insecure Permissions vulnerability in asterisk v22 allows a remote attacker to e...
Insecure Permissions vulnerability in asterisk v22 allows a remote attacker to execute arbitrary code via the action_createconfig function. NOTE: this is disputed by the Supplier because the impact is limited to creating empty files outside of the Asterisk product directory (aka directory traversal) and the attack can only be performed by a privileged user who has the ability to manage the configuration.
Scope: local
bullseye: open
sid: resolved (fixed in 1:22.3.0~dfsg+~cs6.15.60671435-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-02-05
Published