CVE-2023-49294

Name
CVE-2023-49294
Description
Asterisk is an open source private branch exchange and telephony toolkit. In Asterisk prior to versions 18.20.1, 20.5.1, and 21.0.1, as well as certified-asterisk prior to 18.9-cert6, it is possible to read any arbitrary file even when the `live_dangerously` is not enabled. This allows arbitrary files to be read. Asterisk versions 18.20.1, 20.5.1, and 21.0.1, as well as certified-asterisk prior to 18.9-cert6, contain a fix for this issue.
NVD Severity
unknown
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
security-advisories@github.com https://github.com/asterisk/asterisk/blob/master/main/manager.c#L3757
security-advisories@github.com https://github.com/asterisk/asterisk/commit/424be345639d75c6cb7d0bd2da5f0f407dbd0bd5
security-advisories@github.com https://github.com/asterisk/asterisk/security/advisories/GHSA-8857-hfmw-vg8f
security-advisories@github.com https://lists.debian.org/debian-lts-announce/2023/12/msg00019.html

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:digium:asterisk:*:*:*:*:*:*:*:* asterisk >= None < 18.20.1
cpe:2.3:a:digium:asterisk:*:*:*:*:*:*:*:* asterisk >= 19.0.0 < 20.5.1
cpe:2.3:a:digium:asterisk:21.0.0:*:*:*:*:*:*:* asterisk == None == 21.0.0
cpe:2.3:a:sangoma:certified_asterisk:13.13.0:*:*:*:*:*:*:* certified_asterisk == None == 13.13.0
cpe:2.3:a:sangoma:certified_asterisk:16.8.0:-:*:*:*:*:*:* certified_asterisk == None == 16.8.0
cpe:2.3:a:sangoma:certified_asterisk:18.9:cert1:*:*:*:*:*:* certified_asterisk == None == 18.9

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
asterisk 3.16-main 18.20.2-r0 Timo Teras <timo.teras@iki.fi> fixed