Vulnerability Description
An SSRF issue was discovered in Asterisk through 19.x. When using STIR/SHAKEN, it's possible to send arbitrary requests (such as GET) to interfaces such as localhost by using the Identity header. This is fixed in 16.25.2, 18.11.2, and 19.3.2.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Digium | Asterisk | >= 16.15.0, <= 16.25.1 |
| Debian | Debian Linux | 10.0 |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/166745/Asterisk-Project-Security-Advisory-APatchThird Party AdvisoryVDB Entry
- https://downloads.asterisk.org/pub/security/Vendor Advisory
- https://downloads.asterisk.org/pub/security/AST-2022-002.htmlPatchVendor Advisory
- https://lists.debian.org/debian-lts-announce/2022/11/msg00021.htmlIssue TrackingThird Party Advisory
- https://www.debian.org/security/2022/dsa-5285Third Party Advisory
- http://packetstormsecurity.com/files/166745/Asterisk-Project-Security-Advisory-APatchThird Party AdvisoryVDB Entry
- https://downloads.asterisk.org/pub/security/Vendor Advisory
- https://downloads.asterisk.org/pub/security/AST-2022-002.htmlPatchVendor Advisory
- https://lists.debian.org/debian-lts-announce/2022/11/msg00021.htmlIssue TrackingThird Party Advisory
- https://www.debian.org/security/2022/dsa-5285Third Party Advisory
FAQ
What is CVE-2022-26499?
CVE-2022-26499 is a vulnerability with a CVSS score of 9.1 (CRITICAL). An SSRF issue was discovered in Asterisk through 19.x. When using STIR/SHAKEN, it's possible to send arbitrary requests (such as GET) to interfaces such as localhost by using the Identity header. This...
How severe is CVE-2022-26499?
CVE-2022-26499 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2022-26499?
Check the references section above for vendor advisories and patch information. Affected products include: Digium Asterisk, Debian Debian Linux.