CVE-2022-26651

CVE-2022-26651

Name

CVE-2022-26651

Description

An issue was discovered in Asterisk through 19.x and Certified Asterisk through 16.8-cert13. The func_odbc module provides possibly inadequate escaping functionality for backslash characters in SQL queries, resulting in user-provided data creating a broken SQL query or possibly a SQL injection. This is fixed in 16.25.2, 18.11.2, and 19.3.2, and 16.8-cert14.

NVD Severity

high

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
MISC	https://downloads.asterisk.org/pub/security/
MISC	https://downloads.asterisk.org/pub/security/AST-2022-003.html
MISC	http://packetstormsecurity.com/files/166746/Asterisk-Project-Security-Advisory-AST-2022-003.html
MLIST	https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html
DEBIAN	https://www.debian.org/security/2022/dsa-5285

Type

URI

MISC

https://downloads.asterisk.org/pub/security/

MISC

https://downloads.asterisk.org/pub/security/AST-2022-003.html

MISC

http://packetstormsecurity.com/files/166746/Asterisk-Project-Security-Advisory-AST-2022-003.html

MLIST

https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html

DEBIAN

https://www.debian.org/security/2022/dsa-5285

Match rules

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:digium:certified_asterisk:16.8:cert1-rc1::::::`	certified_asterisk	== None	== 16.8
`cpe:2.3:a:digium:asterisk::::::::`	asterisk	>= 16.0.0	< 16.25.2
`cpe:2.3:a:digium:asterisk::::::::`	asterisk	>= 18.0	< 18.11.2
`cpe:2.3:a:digium:asterisk::::::::`	asterisk	>= 19.0.0	< 19.3.2

CPE URI

Source package

Min version

Max version

cpe:2.3:a:digium:certified_asterisk:16.8:cert1-rc1:*:*:*:*:*:*

certified_asterisk

== None

== 16.8

cpe:2.3:a:digium:asterisk:*:*:*:*:*:*:*:*

asterisk

>= 16.0.0

< 16.25.2

cpe:2.3:a:digium:asterisk:*:*:*:*:*:*:*:*

asterisk

>= 18.0

< 18.11.2

cpe:2.3:a:digium:asterisk:*:*:*:*:*:*:*:*

asterisk

>= 19.0.0

< 19.3.2

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
asterisk	edge-main	18.11.2-r0	Timo Teras <timo.teras@iki.fi>	fixed
asterisk	edge-main	18.2.2-r5	Timo Teras <timo.teras@iki.fi>	possibly vulnerable
asterisk	edge-main	18.2.2-r4	Timo Teras <timo.teras@iki.fi>	possibly vulnerable
asterisk	edge-main	18.2.2-r3	Timo Teras <timo.teras@iki.fi>	possibly vulnerable
asterisk	edge-main	18.2.2-r2	Timo Teras <timo.teras@iki.fi>	possibly vulnerable
asterisk	edge-main	18.2.2-r0	Timo Teras <timo.teras@iki.fi>	possibly vulnerable
asterisk	edge-main	18.2.1-r0	None	possibly vulnerable
asterisk	edge-main	18.1.1-r0	None	possibly vulnerable
asterisk	edge-main	18.0.1-r0	None	possibly vulnerable
asterisk	edge-main	16.6.2-r0	None	possibly vulnerable
asterisk	edge-main	16.5.1-r0	None	possibly vulnerable
asterisk	edge-main	16.4.1-r0	None	possibly vulnerable
asterisk	edge-main	16.3.0-r0	None	possibly vulnerable
asterisk	3.22-main	18.11.2-r0	None	fixed
asterisk	3.22-main	18.2.2-r2	None	possibly vulnerable
asterisk	3.22-main	18.2.1-r0	None	possibly vulnerable
asterisk	3.22-main	18.1.1-r0	None	possibly vulnerable
asterisk	3.22-main	18.0.1-r0	None	possibly vulnerable
asterisk	3.22-main	16.6.2-r0	None	possibly vulnerable
asterisk	3.22-main	16.5.1-r0	None	possibly vulnerable
asterisk	3.22-main	16.4.1-r0	None	possibly vulnerable
asterisk	3.22-main	16.3.0-r0	None	possibly vulnerable
asterisk	3.21-main	18.11.2-r0	None	fixed
asterisk	3.21-main	18.2.2-r2	None	possibly vulnerable
asterisk	3.21-main	18.2.1-r0	None	possibly vulnerable
asterisk	3.21-main	18.1.1-r0	None	possibly vulnerable
asterisk	3.21-main	18.0.1-r0	None	possibly vulnerable
asterisk	3.21-main	16.6.2-r0	None	possibly vulnerable
asterisk	3.21-main	16.5.1-r0	None	possibly vulnerable
asterisk	3.21-main	16.4.1-r0	None	possibly vulnerable
asterisk	3.21-main	16.3.0-r0	None	possibly vulnerable
asterisk	3.20-main	18.11.2-r0	None	fixed
asterisk	3.20-main	18.2.2-r2	None	possibly vulnerable
asterisk	3.20-main	18.2.1-r0	None	possibly vulnerable
asterisk	3.20-main	18.1.1-r0	None	possibly vulnerable
asterisk	3.20-main	18.0.1-r0	None	possibly vulnerable
asterisk	3.20-main	16.6.2-r0	None	possibly vulnerable
asterisk	3.20-main	16.5.1-r0	None	possibly vulnerable
asterisk	3.20-main	16.4.1-r0	None	possibly vulnerable
asterisk	3.20-main	16.3.0-r0	None	possibly vulnerable
asterisk	3.19-main	18.11.2-r0	None	fixed
asterisk	3.19-main	18.2.2-r2	None	possibly vulnerable
asterisk	3.19-main	18.2.1-r0	None	possibly vulnerable
asterisk	3.19-main	18.1.1-r0	None	possibly vulnerable
asterisk	3.19-main	18.0.1-r0	None	possibly vulnerable
asterisk	3.19-main	16.6.2-r0	None	possibly vulnerable
asterisk	3.19-main	16.5.1-r0	None	possibly vulnerable
asterisk	3.19-main	16.4.1-r0	None	possibly vulnerable
asterisk	3.19-main	16.3.0-r0	None	possibly vulnerable
asterisk	3.18-main	18.11.2-r0	None	fixed
asterisk	3.17-main	18.11.2-r0	None	fixed
asterisk	3.12-main	16.16.1-r1	Timo Teras <timo.teras@iki.fi>	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

References

Match rules

Vulnerable and fixed packages