CVE-2012-2414

Publication date 30 April 2012

Last updated 24 July 2024

Ubuntu priority

Low

Why this priority?

Description

main/manager.c in the Manager Interface in Asterisk Open Source 1.6.2.x before 1.6.2.24, 1.8.x before 1.8.11.1, and 10.x before 10.3.1 and Asterisk Business Edition C.3.x before C.3.7.4 does not properly enforce System class authorization requirements, which allows remote authenticated users to execute arbitrary commands via (1) the originate action in the MixMonitor application, (2) the SHELL and EVAL functions in the GetVar manager action, or (3) the SHELL and EVAL functions in the Status manager action.

Read the notes from the security team

Status

Package Ubuntu Release Status
asterisk 17.04 zesty
Not affected
16.10 yakkety
Not affected
16.04 LTS xenial
Not affected
15.10 wily
Not affected
15.04 vivid
Not affected
14.10 utopic
Not affected
14.04 LTS trusty Not in release
13.10 saucy
Not affected
13.04 raring
Not affected
12.10 quantal
Not affected
12.04 LTS precise Ignored end of life
11.10 oneiric Ignored end of life
11.04 natty Ignored end of life
10.04 LTS lucid Ignored end of life
8.04 LTS hardy
Not affected

Notes

tyhicks

Affects 1.6.2.x, 1.8.x, 10.x Attacker must be authenticated into the Asterisk Manager Interface

References

Other references