An SSRF issue exists in Asterisk up to and including 19.x. When using STIR/SHAKEN, it's possible to send arbitrary requests (such as GET) to interfaces such as localhost by using the Identity header. This is fixed in 16.25.2, 18.11.2, and 19.3.2.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
digium asterisk |
||
debian debian linux 10.0 |
||
debian debian linux 11.0 |