CVE-2014-8418
critical
CVSS v3
—
CVSS v2
9.0
VIR risk
9.0
Description
The DB dialplan function in Asterisk Open Source 1.8.x before 1.8.32, 11.x before 11.1.4.1, 12.x before 12.7.1, and 13.x before 13.0.1 and Certified Asterisk 1.8 before 1.8.28-cert8 and 11.6 before 11.6-cert8 allows remote authenticated users to gain privileges via a call from an external protocol, as demonstrated by the AMI protocol.
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: cve@mitre.org — http://downloads.asterisk.org/pub/security/AST-2014-018.html
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2014-8418
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bullseye | fixed | 1:13.1.0~dfsg-1 |
| debian | sid | fixed | 1:13.1.0~dfsg-1 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| digium | certified_asterisk | 1.8.28 | |
| digium | certified_asterisk | 11.6 | |
| digium | certified_asterisk | 11.6.0 | |
| digium | asterisk | {"startIncluding":"1.8.0","endIncluding":"1.8.32.0"} | |
References
CWEs
CWE-264
Verify integrity in audit chain (admin only). AS-IS.