Vulnerability Description
An issue was discovered in manager.c in Sangoma Asterisk through 13.x, 16.x, 17.x and Certified Asterisk 13.21 through 13.21-cert4. A remote authenticated Asterisk Manager Interface (AMI) user without system authorization could use a specially crafted Originate AMI request to execute arbitrary system commands.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Digium | Asterisk | >= 13.0.0, < 13.29.2 |
| Digium | Certified Asterisk | 13.21.0 |
| Debian | Debian Linux | 8.0 |
Related Weaknesses (CWE)
References
- http://downloads.asterisk.org/pub/security/AST-2019-007.htmlPatchVendor Advisory
- https://lists.debian.org/debian-lts-announce/2019/11/msg00038.htmlMailing ListThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2022/04/msg00001.htmlMailing ListThird Party Advisory
- https://www.asterisk.org/downloads/security-advisoriesVendor Advisory
- http://downloads.asterisk.org/pub/security/AST-2019-007.htmlPatchVendor Advisory
- https://lists.debian.org/debian-lts-announce/2019/11/msg00038.htmlMailing ListThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2022/04/msg00001.htmlMailing ListThird Party Advisory
- https://www.asterisk.org/downloads/security-advisoriesVendor Advisory
FAQ
What is CVE-2019-18610?
CVE-2019-18610 is a vulnerability with a CVSS score of 8.8 (HIGH). An issue was discovered in manager.c in Sangoma Asterisk through 13.x, 16.x, 17.x and Certified Asterisk 13.21 through 13.21-cert4. A remote authenticated Asterisk Manager Interface (AMI) user without...
How severe is CVE-2019-18610?
CVE-2019-18610 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-18610?
Check the references section above for vendor advisories and patch information. Affected products include: Digium Asterisk, Digium Certified Asterisk, Debian Debian Linux.