Vulnerability Description
Incomplete blacklist vulnerability in main/manager.c in Asterisk Open Source 1.8.x before 1.8.15.1 and 10.x before 10.7.1, Certified Asterisk 1.8.11 before 1.8.11-cert6, Asterisk Digiumphones 10.x.x-digiumphones before 10.7.1-digiumphones, and Asterisk Business Edition C.3.x before C.3.7.6 allows remote authenticated users to execute arbitrary commands by leveraging originate privileges and providing an ExternalIVR value in an AMI Originate action.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Asterisk | Open Source | 1.8.0 |
| Sangoma | Asterisk | <= 1.8.15.0 |
| Asterisk | Certified Asterisk | <= 1.8.11 |
| Asterisk | Digiumphones | <= 10.7.0 |
| Asterisk | Business Edition | <= c.3.7.5 |
References
- http://downloads.asterisk.org/pub/security/AST-2012-012.htmlPatchVendor Advisory
- http://secunia.com/advisories/50687
- http://secunia.com/advisories/50756
- http://www.debian.org/security/2012/dsa-2550
- http://www.securitytracker.com/id?1027460
- http://downloads.asterisk.org/pub/security/AST-2012-012.htmlPatchVendor Advisory
- http://secunia.com/advisories/50687
- http://secunia.com/advisories/50756
- http://www.debian.org/security/2012/dsa-2550
- http://www.securitytracker.com/id?1027460
FAQ
What is CVE-2012-2186?
CVE-2012-2186 is a vulnerability with a CVSS score of 9.0 (HIGH). Incomplete blacklist vulnerability in main/manager.c in Asterisk Open Source 1.8.x before 1.8.15.1 and 10.x before 10.7.1, Certified Asterisk 1.8.11 before 1.8.11-cert6, Asterisk Digiumphones 10.x.x-d...
How severe is CVE-2012-2186?
CVE-2012-2186 has been rated HIGH with a CVSS base score of 9.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2012-2186?
Check the references section above for vendor advisories and patch information. Affected products include: Asterisk Open Source, Sangoma Asterisk, Asterisk Certified Asterisk, Asterisk Digiumphones, Asterisk Business Edition.