CVE-2024-57520 — Incorrect Permission Assignment in Asterisk

CWE-732 — Incorrect Permission Assignment4 documents4 sources

Severity

9.8CRITICALNVD

EPSS

3.5%

top 12.35%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Asterisk Sangoma Asterisk

Timeline

PublishedFeb 5

Latest updateFeb 6

Description

Insecure Permissions vulnerability in asterisk v22 allows a remote attacker to execute arbitrary code via the action_createconfig function. NOTE: this is disputed by the Supplier because the impact is limited to creating empty files outside of the Asterisk product directory (aka directory traversal) and the attack can only be performed by a privileged user who has the ability to manage the configuration.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶debiandebian/asterisk< asterisk 1:22.3.0~dfsg+~cs6.15.60671435-1 (sid)

▶NVDsangoma/asterisk22.0.0 — 22.5.1

🔴Vulnerability Details

GHSA

GHSA-4m27-833c-75q4: Insecure Permissions vulnerability in asterisk v22 allows a remote attacker to execute arbitrary code via the action_createconfig function↗2025-02-06

▶

OSV

CVE-2024-57520: Insecure Permissions vulnerability in asterisk v22 allows a remote attacker to execute arbitrary code via the action_createconfig function↗2025-02-05

▶

📋Vendor Advisories

Debian

CVE-2024-57520: asterisk - Insecure Permissions vulnerability in asterisk v22 allows a remote attacker to e...↗2024

▶