Directory Traversal Vulnerability in Sangoma Asterisk
CVE-2022-42706

4.9MEDIUM

Key Information:

Vendor

Sangoma

Status
Asterisk
Certified Asterisk
Vendor
CVE Published:
5 December 2022

What is CVE-2022-42706?

A vulnerability has been identified in Sangoma Asterisk versions 16.28, 17, 18 (up to 18.14), 19 (up to 19.6), and certified version 18.9-cert1. This issue allows unauthorized applications to exploit the Asterisk Manager Interface's GetConfig function, potentially enabling them to access files outside of the designated Asterisk configuration directory. This could lead to sensitive information exposure and unauthenticated file access, posing significant security risks for users and systems reliant on Asterisk.

References

https://downloads.asterisk.org/pub/security/AST-2022-009....
https://lists.debian.org/debian-lts-announce/2023/02/msg0...
mailing-list
https://www.debian.org/security/2023/dsa-5358
vendor-advisory

CVSS V3.1

Score:
4.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.