Bug#947377: asterisk: CVE-2019-18610: AST-2019-007: AMI user could execute system commands
Salvatore Bonaccorso
carnil at debian.org
Wed Dec 25 21:47:57 GMT 2019
Source: asterisk
Version: 1:16.2.1~dfsg-2
Severity: important
Tags: security upstream
Forwarded: https://issues.asterisk.org/jira/browse/ASTERISK-28580
Control: found -1 1:16.2.1~dfsg-1+deb10u1
Control: found -1 1:16.2.1~dfsg-1
Control: found -1 1:13.14.1~dfsg-2+deb9u4
Control: found -1 1:13.14.1~dfsg-1
Hi,
The following vulnerability was published for asterisk.
CVE-2019-18610[0]:
| An issue was discovered in manager.c in Sangoma Asterisk through 13.x,
| 16.x, 17.x and Certified Asterisk 13.21 through 13.21-cert4. A remote
| authenticated Asterisk Manager Interface (AMI) user without system
| authorization could use a specially crafted Originate AMI request to
| execute arbitrary system commands.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-18610
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18610
[1] https://issues.asterisk.org/jira/browse/ASTERISK-28580
[2] https://downloads.asterisk.org/pub/security/AST-2019-007.html
Regards,
Salvatore
More information about the Pkg-voip-maintainers
mailing list