Published: 30/04/2012 Updated: 14/12/2017

CVSS v2 Base Score: 6.5 | Impact Score: 6.4 | Exploitability Score: 8

VMScore: 578

Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P

main/manager.c in the Manager Interface in Asterisk Open Source 1.6.2.x prior to 1.6.2.24, 1.8.x prior to 1.8.11.1, and 10.x prior to 10.3.1 and Asterisk Business Edition C.3.x before C.3.7.4 does not properly enforce System class authorization requirements, which allows remote authenticated users to execute arbitrary commands via (1) the originate action in the MixMonitor application, (2) the SHELL and EVAL functions in the GetVar manager action, or (3) the SHELL and EVAL functions in the Status manager action.

Vulnerable Product	Search on Vulmon	Subscribe to Product
asterisk open source 1.6.2.0
asterisk open source 1.6.2.4
asterisk open source 1.6.2.5
asterisk open source 1.6.2.7
asterisk open source 1.6.2.8
asterisk open source 1.6.2.10
asterisk open source 1.6.2.14
asterisk open source 1.6.2.15
asterisk open source 1.6.2.17
asterisk open source 1.6.2.18
asterisk open source 1.6.2.18.1
asterisk open source 1.6.2.1
asterisk open source 1.6.2.2
asterisk open source 1.6.2.3
asterisk open source 1.6.2.9
asterisk open source 1.6.2.13
asterisk open source 1.6.2.16.1
asterisk open source 1.6.2.16.2
asterisk open source 1.6.2.17.3
asterisk open source 1.6.2.22
asterisk open source 1.6.2.23
asterisk open source 1.6.2.6
asterisk open source 1.6.2.11
asterisk open source 1.6.2.15.1
asterisk open source 1.6.2.18.2
asterisk open source 1.6.2.19
asterisk open source 1.6.2.12
asterisk open source 1.6.2.16
asterisk open source 1.6.2.17.1
asterisk open source 1.6.2.17.2
asterisk open source 1.6.2.20
asterisk open source 1.6.2.21
asterisk open source 1.8.0
asterisk open source 1.8.2
asterisk open source 1.8.2.1
asterisk open source 1.8.3.1
asterisk open source 1.8.3.2
asterisk open source 1.8.4.2
asterisk open source 1.8.4.3
asterisk open source 1.8.6.0
asterisk open source 1.8.7.0
asterisk open source 1.8.8.0
asterisk open source 1.8.1.2
asterisk open source 1.8.3
asterisk open source 1.8.4
asterisk open source 1.8.4.1
asterisk open source 1.8.9.0
asterisk open source 1.8.10.0
asterisk open source 1.8.1
asterisk open source 1.8.2.2
asterisk open source 1.8.2.3
asterisk open source 1.8.2.4
asterisk open source 1.8.3.3
asterisk open source 1.8.4.4
asterisk open source 1.8.5
asterisk open source 1.8.7.1
asterisk open source 1.8.8.1
asterisk open source 1.8.9.2
asterisk open source 1.8.9.3
asterisk open source 1.8.11.0
asterisk open source 1.8.9.1
asterisk open source 1.8.10.1
asterisk open source 1.8.1.1
asterisk open source 1.8.5.0
asterisk open source 1.8.7.2
asterisk open source 1.8.8.2
asterisk open source 10.0.0
asterisk open source 10.1.1
asterisk open source 10.1.2
asterisk open source 10.3.0
asterisk open source 10.0.1
asterisk open source 10.1.0
asterisk open source 10.2.0
asterisk open source 10.1.3
asterisk open source 10.2.1

Debian Bug report logs - #664411 [CVE-2012-1183 - CVE-2012-1184] Asterisk: AST-2012-002 and AST-2012-003 flaws Package: asterisk; Maintainer for asterisk is Debian VoIP Team <pkg-voip-maintainers@listsaliothdebianorg>; Source for asterisk is src:asterisk (PTS, buildd, popcon) Reported by: Luciano Bello <luciano@debian ...

Debian Bug report logs - #670180 CVE-2012-2414 CVE-2012-2415 CVE-2012-2416 Package: asterisk; Maintainer for asterisk is Debian VoIP Team <pkg-voip-maintainers@listsaliothdebianorg>; Source for asterisk is src:asterisk (PTS, buildd, popcon) Reported by: Moritz Muehlenhoff <jmm@debianorg> Date: Mon, 23 Apr 2012 18 ...

Several vulnerabilities were discovered in the Asterisk PBX and telephony toolkit: CVE-2012-1183 Russell Bryant discovered a buffer overflow in the Milliwatt application CVE-2012-2414 David Woolley discovered a privilege escalation in the Asterisk manager interface CVE-2012-2415 Russell Bryant discovered a buffer overflow in ...

CWE-287 http://downloads.asterisk.org/pub/security/AST-2012-004.html http://www.debian.org/security/2012/dsa-2460 http://secunia.com/advisories/48891 http://secunia.com/advisories/48941 http://lists.fedoraproject.org/pipermail/package-announce/2012-May/079759.html https://exchange.xforce.ibmcloud.com/vulnerabilities/75100 http://www.securitytracker.com/id?1026961 http://www.securityfocus.com/bid/53206 http://osvdb.org/81454 https://nvd.nist.gov https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=664411 https://www.debian.org/security/./dsa-2460

CVE-2012-2414

Vulnerability Summary

Vendor Advisories

References

Vulmon Search

About

Products

Connect