Sign-up

ID

VAR-202212-0244


CVE

CVE-2022-42706


TITLE

Asterisk Path traversal vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-202212-2080

DESCRIPTION

An issue was discovered in Sangoma Asterisk through 16.28, 17 and 18 through 18.14, 19 through 19.6, and certified through 18.9-cert1. GetConfig, via Asterisk Manager Interface, allows a connected application to access files outside of the asterisk configuration directory, aka Directory Traversal. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-5358-1 security@debian.org https://www.debian.org/security/ Markus Koschany February 23, 2023 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : asterisk CVE ID : CVE-2022-23537 CVE-2022-23547 CVE-2022-31031 CVE-2022-37325 CVE-2022-39244 CVE-2022-39269 CVE-2022-42705 CVE-2022-42706 Multiple security vulnerabilities have been discovered in Asterisk, an Open Source Private Branch Exchange. Buffer overflows and other programming errors could be exploited for launching a denial of service attack or the execution of arbitrary code. For the stable distribution (bullseye), these problems have been fixed in version 1:16.28.0~dfsg-0+deb11u2. We recommend that you upgrade your asterisk packages. For the detailed security status of asterisk please refer to its security tracker page at: https://security-tracker.debian.org/tracker/asterisk Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmP3LTtfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeQLpw/8CshgHqfiBn5zx4yxf0mmnHaeXDpDmebNz0MLPJQOBHLn6IBFyAu+TpM5 o9CgBlgTx6LdXToik+0QQtG50EnCp+2gPQ+dalY7lHswTfdwqIrMIM8NUwtOo9ut DUUptPBTbUVDICh/OZfiNE3EfxAJ5Z6ktoqC/L8IqCx/S1ZwbdQJSVXAAQJJUVyT syXDNHpoYqehm6p0JKOAbYkROnCKyvfhrtu9clZgUx0lhlxGRpAMspO15mUTyxqR xLwsWAqWyfPXTZBpa6Ym8Aa8vQeDrvk3QakigvhnYHxhz51eJiH8WcsIzh2NQLW0 CsJHYx+Hq3rVUHpIWvPyR00HeKfGNu4pYzXS8RAhuKricEgxNWEQKWxYO76+xrWt avZ1ebREYG2+6AcneB3ceSCPNEg3YeySmf5RyFYy+3s307OsA8/kbSwzsi4lmBZe 1+bqDZvcb76dEz2d5bFaC9qJ3EUX3C19B4mo/bi+IW4s8YypZZX3OpmH5jCkIFKF XiEmuDj3rtrDYSzQgSCKgflXQIv63UsUn3NbZk2KIkQTZRpBfT8p5M7DWwozOCbO 9CN6gsjkM/H+YT2FfEdXMsqw7H6tl3wv1HUIj9dDaAYfxfnHGMfe3jeSBA84Ql1J +NrQctHyDGHo5WcU4ThMNawTuz+FUn/MHb4+ycyP8TjZa/RHX4M=HsMO -----END PGP SIGNATURE-----

Trust: 0.99

sources: NVD: CVE-2022-42706 // PACKETSTORM: 171105

AFFECTED PRODUCTS

vendor:sangomamodel:asteriskscope:gteversion:17.0.0

Trust: 1.0

vendor:sangomamodel:certified asteriskscope:eqversion:18.9

Trust: 1.0

vendor:sangomamodel:certified asteriskscope:ltversion:18.9

Trust: 1.0

vendor:sangomamodel:asteriskscope:eqversion:20.0.0

Trust: 1.0

vendor:sangomamodel:asteriskscope:ltversion:18.15.1

Trust: 1.0

vendor:sangomamodel:asteriskscope:ltversion:19.7.1

Trust: 1.0

vendor:sangomamodel:asteriskscope:gteversion:16.0.0

Trust: 1.0

vendor:sangomamodel:asteriskscope:gteversion:19.0.0

Trust: 1.0

vendor:sangomamodel:asteriskscope:ltversion:16.29.1

Trust: 1.0

sources: NVD: CVE-2022-42706

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-42706
value: MEDIUM

Trust: 1.0

CNNVD: CNNVD-202212-2080
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2022-42706
baseSeverity: MEDIUM
baseScore: 4.9
vectorString: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 1.2
impactScore: 3.6
version: 3.1

Trust: 1.0

sources: CNNVD: CNNVD-202212-2080 // NVD: CVE-2022-42706

PROBLEMTYPE DATA

problemtype:CWE-22

Trust: 1.0

sources: NVD: CVE-2022-42706

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202212-2080

TYPE

path traversal

Trust: 0.6

sources: CNNVD: CNNVD-202212-2080

PATCH

title:Asterisk Repair measures for path traversal vulnerabilitiesurl:http://123.124.177.30/web/xxk/bdxqById.tag?id=216715

Trust: 0.6

sources: CNNVD: CNNVD-202212-2080

EXTERNAL IDS

db:NVDid:CVE-2022-42706

Trust: 1.7

db:AUSCERTid:ESB-2022.6289

Trust: 0.6

db:CNNVDid:CNNVD-202212-2080

Trust: 0.6

db:PACKETSTORMid:171105

Trust: 0.1

sources: PACKETSTORM: 171105 // CNNVD: CNNVD-202212-2080 // NVD: CVE-2022-42706

REFERENCES

url:https://downloads.asterisk.org/pub/security/ast-2022-009.html

Trust: 1.6

url:https://www.debian.org/security/2023/dsa-5358

Trust: 1.6

url:https://lists.debian.org/debian-lts-announce/2023/02/msg00029.html

Trust: 1.6

url:https://vigilance.fr/vulnerability/asterisk-open-source-directory-traversal-via-getconfig-ami-actio-40002

Trust: 0.6

url:https://cxsecurity.com/cveshow/cve-2022-42706/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.6289

Trust: 0.6

url:https://www.debian.org/security/

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-23547

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-31031

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-37325

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-39244

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-39269

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-42705

Trust: 0.1

url:https://www.debian.org/security/faq

Trust: 0.1

url:https://security-tracker.debian.org/tracker/asterisk

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-42706

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-23537

Trust: 0.1

sources: PACKETSTORM: 171105 // CNNVD: CNNVD-202212-2080 // NVD: CVE-2022-42706

CREDITS

Debian

Trust: 0.1

sources: PACKETSTORM: 171105

SOURCES

db:PACKETSTORMid:171105
db:CNNVDid:CNNVD-202212-2080
db:NVDid:CVE-2022-42706

LAST UPDATE DATE

2024-08-14T13:14:33.671000+00:00


SOURCES UPDATE DATE

db:CNNVDid:CNNVD-202212-2080date:2023-02-27T00:00:00
db:NVDid:CVE-2022-42706date:2023-02-24T00:15:12.133

SOURCES RELEASE DATE

db:PACKETSTORMid:171105date:2023-02-23T16:33:14
db:CNNVDid:CNNVD-202212-2080date:2022-12-02T00:00:00
db:NVDid:CVE-2022-42706date:2022-12-05T21:15:10.227