CVE-2022-26651
Gentoo Linux Security Advisory 202412-03
Severity Score
9.8
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
An issue was discovered in Asterisk through 19.x and Certified Asterisk through 16.8-cert13. The func_odbc module provides possibly inadequate escaping functionality for backslash characters in SQL queries, resulting in user-provided data creating a broken SQL query or possibly a SQL injection. This is fixed in 16.25.2, 18.11.2, and 19.3.2, and 16.8-cert14.
Se ha detectado un problema en Asterisk versiones hast 19.x y Certified Asterisk versiones hasta 16.8-cert13. El módulo func_odbc proporciona una funcionalidad de escape posiblemente inapropiada para los caracteres de barra invertida en las consultas SQL, resultando en que los datos proporcionados por el usuario creen una consulta SQL rota o posiblemente una inyección SQL. Esto ha sido corregido en versiones 16.25.2, 18.11.2 y 19.3.2, y 16.8-cert14
Asterisk suffers from a possible remote SQL injection vulnerability. Some databases can use backslashes to escape certain characters, such as backticks. If input is provided to func_odbc which includes backslashes it is possible for func_odbc to construct a broken SQL query and the SQL query to fail. Asterisk Open Source versions 16.x up to but not including 16.25.2, 18.x up to but not including 18.11.2, and 19.x up to but not including 19.3.2 are affected. Certified Asterisk versions 16.x up to but not including 16.8-cert14 are affected.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2022-03-07 CVE Reserved
- 2022-04-15 CVE Published
- 2024-08-03 CVE Updated
- 2025-05-05 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CAPEC
References (5)
| URL | Tag | Source |
|---|---|---|
| http://packetstormsecurity.com/files/166746/Asterisk-Project-Security-Advisory-AST-2022-003.html | Third Party Advisory |
|
| https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html | Mailing List |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://downloads.asterisk.org/pub/security | 2023-02-02 | |
| https://downloads.asterisk.org/pub/security/AST-2022-003.html | 2023-02-02 | |
| https://www.debian.org/security/2022/dsa-5285 | 2023-02-02 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Digium Search vendor "Digium" | Asterisk Search vendor "Digium" for product "Asterisk" | >= 16.0.0 < 16.25.2 Search vendor "Digium" for product "Asterisk" and version " >= 16.0.0 < 16.25.2" | - |
Affected
| ||||||
| Digium Search vendor "Digium" | Asterisk Search vendor "Digium" for product "Asterisk" | >= 18.0 < 18.11.2 Search vendor "Digium" for product "Asterisk" and version " >= 18.0 < 18.11.2" | - |
Affected
| ||||||
| Digium Search vendor "Digium" | Asterisk Search vendor "Digium" for product "Asterisk" | >= 19.0.0 < 19.3.2 Search vendor "Digium" for product "Asterisk" and version " >= 19.0.0 < 19.3.2" | - |
Affected
| ||||||
| Digium Search vendor "Digium" | Certified Asterisk Search vendor "Digium" for product "Certified Asterisk" | 16.8 Search vendor "Digium" for product "Certified Asterisk" and version "16.8" | - |
Affected
| ||||||
| Digium Search vendor "Digium" | Certified Asterisk Search vendor "Digium" for product "Certified Asterisk" | 16.8 Search vendor "Digium" for product "Certified Asterisk" and version "16.8" | cert1-rc1 |
Affected
| ||||||
| Digium Search vendor "Digium" | Certified Asterisk Search vendor "Digium" for product "Certified Asterisk" | 16.8 Search vendor "Digium" for product "Certified Asterisk" and version "16.8" | cert1-rc2 |
Affected
| ||||||
| Digium Search vendor "Digium" | Certified Asterisk Search vendor "Digium" for product "Certified Asterisk" | 16.8 Search vendor "Digium" for product "Certified Asterisk" and version "16.8" | cert1-rc3 |
Affected
| ||||||
| Digium Search vendor "Digium" | Certified Asterisk Search vendor "Digium" for product "Certified Asterisk" | 16.8 Search vendor "Digium" for product "Certified Asterisk" and version "16.8" | cert1-rc4 |
Affected
| ||||||
| Digium Search vendor "Digium" | Certified Asterisk Search vendor "Digium" for product "Certified Asterisk" | 16.8 Search vendor "Digium" for product "Certified Asterisk" and version "16.8" | cert10 |
Affected
| ||||||
| Digium Search vendor "Digium" | Certified Asterisk Search vendor "Digium" for product "Certified Asterisk" | 16.8 Search vendor "Digium" for product "Certified Asterisk" and version "16.8" | cert11 |
Affected
| ||||||
| Digium Search vendor "Digium" | Certified Asterisk Search vendor "Digium" for product "Certified Asterisk" | 16.8 Search vendor "Digium" for product "Certified Asterisk" and version "16.8" | cert12 |
Affected
| ||||||
| Digium Search vendor "Digium" | Certified Asterisk Search vendor "Digium" for product "Certified Asterisk" | 16.8 Search vendor "Digium" for product "Certified Asterisk" and version "16.8" | cert13 |
Affected
| ||||||
| Digium Search vendor "Digium" | Certified Asterisk Search vendor "Digium" for product "Certified Asterisk" | 16.8 Search vendor "Digium" for product "Certified Asterisk" and version "16.8" | cert2 |
Affected
| ||||||
| Digium Search vendor "Digium" | Certified Asterisk Search vendor "Digium" for product "Certified Asterisk" | 16.8 Search vendor "Digium" for product "Certified Asterisk" and version "16.8" | cert3 |
Affected
| ||||||
| Digium Search vendor "Digium" | Certified Asterisk Search vendor "Digium" for product "Certified Asterisk" | 16.8 Search vendor "Digium" for product "Certified Asterisk" and version "16.8" | cert4 |
Affected
| ||||||
| Digium Search vendor "Digium" | Certified Asterisk Search vendor "Digium" for product "Certified Asterisk" | 16.8 Search vendor "Digium" for product "Certified Asterisk" and version "16.8" | cert4-rc1 |
Affected
| ||||||
| Digium Search vendor "Digium" | Certified Asterisk Search vendor "Digium" for product "Certified Asterisk" | 16.8 Search vendor "Digium" for product "Certified Asterisk" and version "16.8" | cert4-rc2 |
Affected
| ||||||
| Digium Search vendor "Digium" | Certified Asterisk Search vendor "Digium" for product "Certified Asterisk" | 16.8 Search vendor "Digium" for product "Certified Asterisk" and version "16.8" | cert4-rc3 |
Affected
| ||||||
| Digium Search vendor "Digium" | Certified Asterisk Search vendor "Digium" for product "Certified Asterisk" | 16.8 Search vendor "Digium" for product "Certified Asterisk" and version "16.8" | cert4-rc4 |
Affected
| ||||||
| Digium Search vendor "Digium" | Certified Asterisk Search vendor "Digium" for product "Certified Asterisk" | 16.8 Search vendor "Digium" for product "Certified Asterisk" and version "16.8" | cert5 |
Affected
| ||||||
| Digium Search vendor "Digium" | Certified Asterisk Search vendor "Digium" for product "Certified Asterisk" | 16.8 Search vendor "Digium" for product "Certified Asterisk" and version "16.8" | cert6 |
Affected
| ||||||
| Digium Search vendor "Digium" | Certified Asterisk Search vendor "Digium" for product "Certified Asterisk" | 16.8 Search vendor "Digium" for product "Certified Asterisk" and version "16.8" | cert7 |
Affected
| ||||||
| Digium Search vendor "Digium" | Certified Asterisk Search vendor "Digium" for product "Certified Asterisk" | 16.8 Search vendor "Digium" for product "Certified Asterisk" and version "16.8" | cert8 |
Affected
| ||||||
| Digium Search vendor "Digium" | Certified Asterisk Search vendor "Digium" for product "Certified Asterisk" | 16.8 Search vendor "Digium" for product "Certified Asterisk" and version "16.8" | cert9 |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 11.0 Search vendor "Debian" for product "Debian Linux" and version "11.0" | - |
Affected
| ||||||