Privilege Defined With Unsafe Actions Affecting asterisk package, versions [,18.24.2) [19.0.0-rc1,20.9.2) [21.0.0-pre1,21.4.2) [cetified/1.8.6-cert1,certified-18.9-cert11) [certified-20.7-cert1-rc1,certified-20.7-cert2)

Q: How to fix?

<p>Upgrade <code>asterisk</code> to version 18.24.2, 20.9.2, 21.4.2, certified-18.9-cert11, certified-20.7-cert2 or higher.</p>

Threat Intelligence

Proof of concept

0.21% (60^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-UNMANAGED-ASTERISK-7659972
published 9 Aug 2024
disclosed 8 Aug 2024
credit NielsGaljaard

Report a new vulnerability Found a mistake?

Introduced: 8 Aug 2024

CVE-2024-42365 Open this link in a new tab CWE-267 Open this link in a new tab

How to fix?

Upgrade asterisk to version 18.24.2, 20.9.2, 21.4.2, certified-18.9-cert11, certified-20.7-cert2 or higher.

Overview

Affected versions of this package are vulnerable to Privilege Defined With Unsafe Actions in manager.c that allows a user with Write=orignate to modify all files in /etc/asterisk/, which in turn allows privilege elevation that can be used to execute code.

References

CVSS Scores

version 4.0

version 3.1

Attack Vector (AV)

Network
Attack Complexity (AC)

Low
Attack Requirements (AT)

None
Privileges Required (PR)

Low
User Interaction (UI)

None

Confidentiality (VC)

Low
Integrity (VI)

Low
Availability (VA)

Low

Confidentiality (SC)

Low
Integrity (SI)

Low
Availability (SA)

Low