CVE-2023-49294
Severity CVSS v4.0:
Pending analysis
Type:
CWE-22
Path Traversal
Publication date:
14/12/2023
Last modified:
29/12/2023
Description
Asterisk is an open source private branch exchange and telephony toolkit. In Asterisk prior to versions 18.20.1, 20.5.1, and 21.0.1, as well as certified-asterisk prior to 18.9-cert6, it is possible to read any arbitrary file even when the `live_dangerously` is not enabled. This allows arbitrary files to be read. Asterisk versions 18.20.1, 20.5.1, and 21.0.1, as well as certified-asterisk prior to 18.9-cert6, contain a fix for this issue.
Impact
Base Score 3.x
7.50
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:digium:asterisk:*:*:*:*:*:*:*:* | 18.20.1 (excluding) | |
| cpe:2.3:a:digium:asterisk:*:*:*:*:*:*:*:* | 19.0.0 (including) | 20.5.1 (excluding) |
| cpe:2.3:a:digium:asterisk:21.0.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:sangoma:certified_asterisk:13.13.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:sangoma:certified_asterisk:13.13.0:cert1:*:*:*:*:*:* | ||
| cpe:2.3:a:sangoma:certified_asterisk:13.13.0:cert1-rc1:*:*:*:*:*:* | ||
| cpe:2.3:a:sangoma:certified_asterisk:13.13.0:cert1-rc2:*:*:*:*:*:* | ||
| cpe:2.3:a:sangoma:certified_asterisk:13.13.0:cert1-rc3:*:*:*:*:*:* | ||
| cpe:2.3:a:sangoma:certified_asterisk:13.13.0:cert1-rc4:*:*:*:*:*:* | ||
| cpe:2.3:a:sangoma:certified_asterisk:13.13.0:cert2:*:*:*:*:*:* | ||
| cpe:2.3:a:sangoma:certified_asterisk:13.13.0:cert3:*:*:*:*:*:* | ||
| cpe:2.3:a:sangoma:certified_asterisk:13.13.0:rc1:*:*:*:*:*:* | ||
| cpe:2.3:a:sangoma:certified_asterisk:13.13.0:rc2:*:*:*:*:*:* | ||
| cpe:2.3:a:sangoma:certified_asterisk:16.8.0:-:*:*:*:*:*:* | ||
| cpe:2.3:a:sangoma:certified_asterisk:16.8.0:cert1:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page