CVE-2014-4046

Severity

65%

Complexity

80%

Confidentiality

106%

Per: http://cwe.mitre.org/data/definitions/77.html "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')"

Asterisk Open Source 11.x before 11.10.1 and 12.x before 12.3.1 and Certified Asterisk 11.6 before 11.6-cert3 allows remote authenticated Manager users to execute arbitrary shell commands via a MixMonitor action.

Per: http://cwe.mitre.org/data/definitions/77.html "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')"

CVSS 2.0 Base Score 6.5. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:P/A:P).

Overview

Type

Digium

First reported 10 years ago

2014-06-17 14:55:00

Last updated 6 years ago

2018-10-09 19:47:00

Affected Software

Digium Asterisk 11.0.0

11.0.0

Digium Asterisk 11.0.0 beta1

11.0.0

Digium Asterisk 11.0.0 beta2

11.0.0

Digium Asterisk 11.0.0 release candidate 1

11.0.0

Digium Asterisk 11.0.0 release candidate 2

11.0.0

Digium Asterisk 11.0.1

11.0.1

Digium Asterisk 11.0.2

11.0.2

Digium Asterisk 11.1.0

11.1.0

Digium Asterisk 11.1.0 release candidate 1

11.1.0

Digium Asterisk 11.1.0 release candidate 3

11.1.0

Digium Asterisk 11.1.1

11.1.1

Digium Asterisk 11.1.2

11.1.2

Digium Asterisk 11.2.0 release candidate 1

11.2.0

Digium Asterisk 11.4.0

11.4.0

Digium Asterisk 11.5.0

11.5.0

Digium Asterisk 11.5.1

11.5.1

Digium Asterisk 11.8.0

11.8.0

Digium Asterisk 11.8.0 release candidate 1

11.8.0

Digium Asterisk 11.8.0 release candidate 2

11.8.0

Digium Asterisk 11.8.0 release candidate 3

11.8.0

Digium Asterisk 11.8.1

11.8.1

Digium Asterisk 11.9.0

11.9.0

Digium Asterisk 11.9.0 release candidate 1

11.9.0

Digium Asterisk 11.9.0 release candidate 2

11.9.0

Digium Asterisk 11.10.0

11.10.0

Digium Asterisk 11.10.0 release candidate 1

11.10.0

Digium Asterisk 12.0.0

12.0.0

Digium Asterisk 12.1.0

12.1.0

Digium Asterisk 12.1.0 release candidate 1

12.1.0

Digium Asterisk 12.1.0 release candidate 2

12.1.0

Digium Asterisk 12.1.0 release candidate 3

12.1.0

Digium Asterisk 12.1.1

12.1.1

Digium Asterisk 12.2.0

12.2.0

Digium Asterisk 12.2.0 release candidate 1

12.2.0

Digium Asterisk 12.2.0 release candidate 2

12.2.0

Digium Asterisk 12.2.0 release candidate 3

12.2.0

Digium Asterisk 12.3.0

12.3.0

Digium Asterisk 12.3.0 release candidate 1

12.3.0

Digium Asterisk 12.3.0 release candidate 2

12.3.0

Digium Certified Asterisk 11.6-cert1

11.6

Digium Certified Asterisk 11.6-cert1 release candidate 1

11.6

Digium Certified Asterisk 11.6-cert1 release candidate 2

11.6

Digium Certified Asterisk 11.6-cert2

11.6

Digium Certified Asterisk 11.6.0

11.6.0

Digium Certified Asterisk 11.6.0 release candidate 1

11.6.0

Digium Certified Asterisk 11.6.0 release candidate 2

11.6.0

References

http://downloads.asterisk.org/pub/security/AST-2014-006.html

Patch, Vendor Advisory

http://packetstormsecurity.com/files/127088/Asterisk-Project-Security-Advisory-AST-2014-006.html

20140612 AST-2014-006: Asterisk Manager User Unauthorized Shell Access

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.