Risk | Low |
Patch available | YES |
Number of vulnerabilities | 1 |
CVE-ID | CVE-2024-53566 |
CWE-ID | CWE-22 |
Exploitation vector | Network |
Public exploit | Public exploit code for vulnerability #1 is available. |
Vulnerable software |
Asterisk Server applications / Frameworks for developing and running applications Certified Asterisk Server applications / Conferencing, Collaboration and VoIP solutions |
Vendor |
Sangoma Technologies Corporation Digium (Linux Support Services) |
Security Bulletin
This security bulletin contains one low risk vulnerability.
EUVDB-ID: #VU102519
Risk: Low
CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2024-53566
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote user to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences within AMI ListCategories. A remote administrator can send a specially crafted HTTP request and read arbitrary files on the system.
MitigationInstall update from vendor's website.
Vulnerable software versionsAsterisk: 18.26.0 - 22.1.0
Certified Asterisk: 18.9-cert1 - 20.7-cert3
CPE2.3https://gist.github.com/hyp164D1/e7c0f44ffb38c00320aa1a6d98bee616
https://github.com/asterisk/asterisk/blob/22/main/manager.c#L2556
https://github.com/asterisk/asterisk/security/advisories/GHSA-33x6-fj46-6rfh
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.