ID CVE-2022-26499
Summary An SSRF issue was discovered in Asterisk through 19.x. When using STIR/SHAKEN, it's possible to send arbitrary requests (such as GET) to interfaces such as localhost by using the Identity header. This is fixed in 16.25.2, 18.11.2, and 19.3.2.
References
Vulnerable Configurations
  • cpe:2.3:a:digium:asterisk:16.15.0:*:*:*:*:*:*:*
    cpe:2.3:a:digium:asterisk:16.15.0:*:*:*:*:*:*:*
  • cpe:2.3:a:digium:asterisk:16.15.1:*:*:*:*:*:*:*
    cpe:2.3:a:digium:asterisk:16.15.1:*:*:*:*:*:*:*
  • cpe:2.3:a:digium:asterisk:16.16.1:*:*:*:*:*:*:*
    cpe:2.3:a:digium:asterisk:16.16.1:*:*:*:*:*:*:*
  • cpe:2.3:a:digium:asterisk:16.17.0:*:*:*:*:*:*:*
    cpe:2.3:a:digium:asterisk:16.17.0:*:*:*:*:*:*:*
  • cpe:2.3:a:digium:asterisk:16.18.0:*:*:*:*:*:*:*
    cpe:2.3:a:digium:asterisk:16.18.0:*:*:*:*:*:*:*
  • cpe:2.3:a:digium:asterisk:16.19.0:*:*:*:*:*:*:*
    cpe:2.3:a:digium:asterisk:16.19.0:*:*:*:*:*:*:*
  • cpe:2.3:a:digium:asterisk:16.19.1:*:*:*:*:*:*:*
    cpe:2.3:a:digium:asterisk:16.19.1:*:*:*:*:*:*:*
  • cpe:2.3:a:digium:asterisk:16.20.0:*:*:*:*:*:*:*
    cpe:2.3:a:digium:asterisk:16.20.0:*:*:*:*:*:*:*
  • cpe:2.3:a:digium:asterisk:16.21.0:*:*:*:*:*:*:*
    cpe:2.3:a:digium:asterisk:16.21.0:*:*:*:*:*:*:*
  • cpe:2.3:a:digium:asterisk:16.22.0:*:*:*:*:*:*:*
    cpe:2.3:a:digium:asterisk:16.22.0:*:*:*:*:*:*:*
  • cpe:2.3:a:digium:asterisk:16.23.0:*:*:*:*:*:*:*
    cpe:2.3:a:digium:asterisk:16.23.0:*:*:*:*:*:*:*
  • cpe:2.3:a:digium:asterisk:16.24.0:*:*:*:*:*:*:*
    cpe:2.3:a:digium:asterisk:16.24.0:*:*:*:*:*:*:*
  • cpe:2.3:a:digium:asterisk:16.25.0:*:*:*:*:*:*:*
    cpe:2.3:a:digium:asterisk:16.25.0:*:*:*:*:*:*:*
  • cpe:2.3:a:digium:asterisk:18.0:*:*:*:*:*:*:*
    cpe:2.3:a:digium:asterisk:18.0:*:*:*:*:*:*:*
  • cpe:2.3:a:digium:asterisk:18.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:digium:asterisk:18.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:digium:asterisk:18.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:digium:asterisk:18.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:digium:asterisk:18.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:digium:asterisk:18.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:digium:asterisk:18.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:digium:asterisk:18.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:digium:asterisk:18.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:digium:asterisk:18.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:digium:asterisk:18.2.2:*:*:*:*:*:*:*
    cpe:2.3:a:digium:asterisk:18.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:digium:asterisk:18.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:digium:asterisk:18.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:digium:asterisk:18.4.0:*:*:*:*:*:*:*
    cpe:2.3:a:digium:asterisk:18.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:digium:asterisk:18.5.0:*:*:*:*:*:*:*
    cpe:2.3:a:digium:asterisk:18.5.0:*:*:*:*:*:*:*
  • cpe:2.3:a:digium:asterisk:19.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:digium:asterisk:19.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:digium:asterisk:19.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:digium:asterisk:19.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:digium:asterisk:19.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:digium:asterisk:19.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:digium:asterisk:19.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:digium:asterisk:19.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:digium:asterisk:19.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:digium:asterisk:19.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:digium:asterisk:19.3.1:*:*:*:*:*:*:*
    cpe:2.3:a:digium:asterisk:19.3.1:*:*:*:*:*:*:*
CVSS
Base: 6.4 (as of 22-04-2022 - 17:47)
Impact:
Exploitability:
CWE CWE-918
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL NONE
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:P/A:N
Last major update 22-04-2022 - 17:47
Published 15-04-2022 - 05:15
Last modified 22-04-2022 - 17:47
Back to Top