Vulnerability CVE-2014-8418


Published: 2014-11-24

Description:
The DB dialplan function in Asterisk Open Source 1.8.x before 1.8.32, 11.x before 11.1.4.1, 12.x before 12.7.1, and 13.x before 13.0.1 and Certified Asterisk 1.8 before 1.8.28-cert8 and 11.6 before 11.6-cert8 allows remote authenticated users to gain privileges via a call from an external protocol, as demonstrated by the AMI protocol.

Type:

CWE-264

(Permissions, Privileges, and Access Controls)

Vendor: Asterisk
Product: Asterisk 
Version:
12.7.0
11.14.0
1.8.32.0
See more versions on NVD
Product: Certified asterisk 
Version:
11.6.0
11.6
1.8.28.0
1.8.28
See more versions on NVD
Vendor: Digium
Product: Asterisk 
Version:
12.7.0
12.6.1
12.6.0
12.5.1
12.5.0
12.4.0
12.3.2
12.3.1
12.3.0
12.2.0
12.1.1
12.1.0
12.0.0
11.9.0
11.8.1
11.8.0
11.7.0
11.6.1
11.6.0
11.5.1
11.5.0
11.4.0
11.3.0
11.2.2
11.2.1
11.2.0
11.14.0
11.13.1
11.13.0
11.12.1
11.12.0
11.11.0
11.10.2
11.10.1
11.10.0
11.1.2
11.1.1
11.1.0
11.0.2
11.0.1
11.0.0
1.8.9.3
1.8.9.2
1.8.9.1
1.8.9.0
1.8.8.2
1.8.8.1
1.8.8.0
1.8.7.2
1.8.7.1
1.8.7.0
1.8.6.0
1.8.5.1
1.8.5.0
1.8.5
1.8.4.4
1.8.4.3
1.8.4.2
1.8.4.1
1.8.4
1.8.32.0
1.8.31.1
1.8.31.0
1.8.30.0
1.8.3.3
1.8.3.2
1.8.3.1
1.8.3
1.8.29.0
1.8.28.2
1.8.28.1
1.8.28.0
1.8.27.0
1.8.26.1
1.8.26.0
1.8.25.0
1.8.24.1
1.8.24.0
1.8.23.1
1.8.23.0
1.8.22.0
1.8.21.0
1.8.20.2
1.8.20.1
1.8.20.0
1.8.2.4
1.8.2.3
1.8.2.2
1.8.2.1
See more versions on NVD
Product: Certified asterisk 
Version:
11.6.0
11.6
1.8.28.0
1.8.28
See more versions on NVD

CVSS2 => (AV:N/AC:L/Au:S/C:C/I:C/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
9/10
10/10
8/10
Exploit range
Attack complexity
Authentication
Remote
Low
Single time
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete

 References:
http://downloads.asterisk.org/pub/security/AST-2014-018.html

Related CVE
CVE-2019-12827
Buffer overflow in res_pjsip_messaging in Digium Asterisk versions 13.21-cert3, 13.27.0, 15.7.2, 16.4.0 and earlier allows remote authenticated users to crash Asterisk by sending a specially crafted SIP MESSAGE message.
CVE-2016-7550
asterisk 13.10.0 is affected by: denial of service issues in asterisk. The impact is: cause a denial of service (remote).
CVE-2019-7251
An Integer Signedness issue (for a return code) in the res_pjsip_sdp_rtp module in Digium Asterisk versions 15.7.1 and earlier and 16.1.1 and earlier allows remote authenticated users to crash Asterisk via a specially crafted SDP protocol violation.
CVE-2018-19278
Buffer overflow in DNS SRV and NAPTR lookups in Digium Asterisk 15.x before 15.6.2 and 16.x before 16.0.1 allows remote attackers to crash Asterisk via a specially crafted DNS SRV or NAPTR response, because a buffer size is supposed to match an expan...
CVE-2018-17281
There is a stack consumption vulnerability in the res_http_websocket.so module of Asterisk through 13.23.0, 14.7.x through 14.7.7, and 15.x through 15.6.0 and Certified Asterisk through 13.21-cert2. It allows an attacker to crash Asterisk via a speci...
CVE-2018-12227
An issue was discovered in Asterisk Open Source 13.x before 13.21.1, 14.x before 14.7.7, and 15.x before 15.4.1 and Certified Asterisk 13.18-cert before 13.18-cert4 and 13.21-cert before 13.21-cert2. When endpoint specific ACL rules block a SIP reque...
CVE-2018-7287
An issue was discovered in res_http_websocket.c in Asterisk 15.x through 15.2.1. If the HTTP server is enabled (default is disabled), WebSocket payloads of size 0 are mishandled (with a busy loop).
CVE-2018-7286
An issue was discovered in Asterisk through 13.19.1, 14.x through 14.7.5, and 15.x through 15.2.1, and Certified Asterisk through 13.18-cert2. res_pjsip allows remote authenticated users to crash Asterisk (segmentation fault) by sending a number of S...

Copyright 2019, cxsecurity.com

 

Back to Top