An issue was discovered in Sangoma Asterisk through 18.20.0, 19.x and 20.x through 20.5.0, and 21.x through 21.0.0, and Certified Asterisk through 18.9-cert5. In manager.c, the functions action_getconfig() and action_getconfigJson() do not process the input file path, resulting in a path traversal vulnerability. In versions without the restrictedFile() function, no processing is done on the input path. In versions with the restrictedFile() function, path traversal is not processed.
References
Link | Resource |
---|---|
https://gist.github.com/hyp164D1/5d68b9b7a504f1416272a825ce65966a | Third Party Advisory |
https://github.com/asterisk/asterisk/blob/20.5.0/main/manager.c#L3755 | Product |
Configurations
Configuration 1 (hide)
|
History
24 Oct 2024, 14:10
Type | Values Removed | Values Added |
---|---|---|
References | () https://gist.github.com/hyp164D1/5d68b9b7a504f1416272a825ce65966a - Third Party Advisory | |
References | () https://github.com/asterisk/asterisk/blob/20.5.0/main/manager.c#L3755 - Product | |
CPE | cpe:2.3:a:sangoma:certified_asterisk:18.9:cert2:*:*:*:*:*:* cpe:2.3:a:sangoma:certified_asterisk:18.9:cert3:*:*:*:*:*:* cpe:2.3:a:sangoma:certified_asterisk:18.9:cert1:*:*:*:*:*:* cpe:2.3:a:sangoma:certified_asterisk:*:*:*:*:*:*:*:* cpe:2.3:a:sangoma:asterisk:21.0.0:*:*:*:*:*:*:* cpe:2.3:a:sangoma:certified_asterisk:18.9:cert5:*:*:*:*:*:* cpe:2.3:a:sangoma:certified_asterisk:18.9:cert4:*:*:*:*:*:* cpe:2.3:a:sangoma:certified_asterisk:18.9:cert1-rc1:*:*:*:*:*:* cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:* |
|
First Time |
Sangoma asterisk
Sangoma certified Asterisk Sangoma |
22 Oct 2024, 20:35
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-22 | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.8 |
21 Oct 2024, 17:09
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
21 Oct 2024, 01:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-10-21 01:15
Updated : 2024-10-24 14:10
NVD link : CVE-2024-49215
Mitre link : CVE-2024-49215
CVE.ORG link : CVE-2024-49215
JSON object : View
Products Affected
sangoma
- certified_asterisk
- asterisk
CWE
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')