CVE-2011-1599

Sažetak

manager.c in the Manager Interface in Asterisk Open Source 1.4.x before 1.4.40.1, 1.6.1.x before 1.6.1.25, 1.6.2.x before 1.6.2.17.3, and 1.8.x before 1.8.3.3 and Asterisk Business Edition C.x.x before C.3.6.4 does not properly check for the system privilege, which allows remote authenticated users to execute arbitrary commands via an Originate action that has an Async header in conjunction with an Application header.

Reference

http://downloads.digium.com/pub/security/AST-2011-006.html
http://lists.fedoraproject.org/pipermail/package-announce/2011-April/058922.html
http://lists.fedoraproject.org/pipermail/package-announce/2011-May/059702.html
http://openwall.com/lists/oss-security/2011/04/22/6
http://secunia.com/advisories/44197
http://secunia.com/advisories/44529
http://securitytracker.com/id?1025433
http://www.debian.org/security/2011/dsa-2225
http://www.securityfocus.com/bid/47537
http://www.vupen.com/english/advisories/2011/1086
http://www.vupen.com/english/advisories/2011/1107
http://www.vupen.com/english/advisories/2011/1188

CVSS

Base:	9.0
Impact:	10.0
Exploitability:	8.0

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	SINGLE

Impact

Povjerljivost	Cjelovitost	Dostupnost
COMPLETE	COMPLETE	COMPLETE

CVSS vektor

AV:N/AC:L/Au:S/C:C/I:C/A:C

Zadnje važnije ažuriranje

07-09-2011 - 03:16

Objavljeno

27-04-2011 - 00:55