Main Vulnerability Database SB2014061707

SB2014061707 - Input validation error in asterisk (Alpine package)

Published: June 17, 2014

Security Bulletin ID SB2014061707

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Input validation error (CVE-ID: CVE-2014-4046)

The vulnerability allows a remote #AU# to read and manipulate data.

Asterisk Open Source 11.x before 11.10.1 and 12.x before 12.3.1 and Certified Asterisk 11.6 before 11.6-cert3 allows remote authenticated Manager users to execute arbitrary shell commands via a MixMonitor action. Per: http://cwe.mitre.org/data/definitions/77.html "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')"

Remediation

Install update from vendor's website.

References

https://git.alpinelinux.org/aports/commit/?id=de55133bd1474e9684c2b288e2ccfd89a7535afc
https://git.alpinelinux.org/aports/commit/?id=3b7f2f95802751798732e72c83ef2425c44ddeb2