Search

Find a vulnerability

Search criteria

    7 vulnerabilities found for digiumphones by asterisk

    VAR-201208-0619

    Vulnerability from variot - Updated: 2025-04-11 23:08

    Incomplete blacklist vulnerability in main/manager.c in Asterisk Open Source 1.8.x before 1.8.15.1 and 10.x before 10.7.1, Certified Asterisk 1.8.11 before 1.8.11-cert6, Asterisk Digiumphones 10.x.x-digiumphones before 10.7.1-digiumphones, and Asterisk Business Edition C.3.x before C.3.7.6 allows remote authenticated users to execute arbitrary commands by leveraging originate privileges and providing an ExternalIVR value in an AMI Originate action. Asterisk is prone to a security-bypass vulnerability that affects the manager interface. An attacker can exploit this issue to bypass certain security restrictions and execute shell commands within the context of the affected application. Asterisk Project Security Advisory - AST-2012-012

          Product         Asterisk                                            
          Summary         Asterisk Manager User Unauthorized Shell Access     
     Nature of Advisory   Permission Escalation                               
       Susceptibility     Remote Authenticated Sessions                       
          Severity        Minor                                               
       Exploits Known     No                                                  
        Reported On       July 13, 2012                                       
        Reported By       Zubair Ashraf of IBM X-Force Research               
         Posted On        August 30, 2012                                     
      Last Updated On     August 30, 2012                                     
      Advisory Contact    Matt Jordan < mjordan AT digium DOT com >           
          CVE Name        CVE-2012-2186
    
    Description  The AMI Originate action can allow a remote user to specify  
                 information that can be used to execute shell commands on    
                 the system hosting Asterisk. This can result in an unwanted  
                 escalation of permissions, as the Originate action, which    
                 requires the "originate" class authorization, can be used    
                 to perform actions that would typically require the          
                 "system" class authorization. Previous attempts to prevent   
                 this permission escalation (AST-2011-006, AST-2012-004)      
                 have sought to do so by inspecting the names of              
                 applications and functions passed in with the Originate      
                 action and, if those applications/functions matched a        
                 predefined set of values, rejecting the command if the user  
                 lacked the "system" class authorization. As reported by IBM  
                 X-Force Research, the "ExternalIVR" application is not       
                 listed in the predefined set of values. The solution for     
                 this particular vulnerability is to include the              
                 "ExternalIVR" application in the set of defined              
                 applications/functions that require "system" class           
                 authorization.
    
                 Unfortunately, the approach of inspecting fields in the      
                 Originate action against known applications/functions has a  
                 significant flaw. The predefined set of values can be        
                 bypassed by creative use of the Originate action or by       
                 certain dialplan configurations, which is beyond the         
                 ability of Asterisk to analyze at run-time. Attempting to    
                 work around these scenarios would result in severely         
                 restricting the applications or functions and prevent their  
                 usage for legitimate means. As such, any additional          
                 security vulnerabilities, where an application/function      
                 that would normally require the "system" class               
                 authorization can be executed by users with the "originate"  
                 class authorization, will not be addressed. Proper system configuration can limit the impact   
                 of such scenarios.
    
                 The next release of each version of Asterisk will contain,   
                 in addition to the fix for the "ExternalIVR" application,    
                 an updated README-SERIOUSLY.bestpractices.txt file.
    
    Resolution  Asterisk now checks for the "ExternalIVR" application when    
                processing the Originate action.
    
                Additionally, the README-SERIOUSLY.bestpractices.txt file     
                has been updated. It is highly recommended that, if AMI is    
                utilized with accounts that have the "originate" class        
                authorization, Asterisk is run under a defined user that      
                does not have root permissions. Accounts with the             
                "originate" class authorization should be treated in a        
                similar manner to those with the "system" class               
                authorization. All Rights Reserved.
    

    Permission is hereby granted to distribute and publish this advisory in its original, unaltered form. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201209-15


                                            http://security.gentoo.org/
    

    Severity: Normal Title: Asterisk: Multiple vulnerabilities Date: September 26, 2012 Bugs: #425050, #433750 ID: 201209-15


    Synopsis

    Multiple vulnerabilities have been found in Asterisk, the worst of which may allow execution of arbitrary code.

    Background

    Asterisk is an open source telephony engine and toolkit.

    Affected packages

    -------------------------------------------------------------------
     Package              /     Vulnerable     /            Unaffected
    -------------------------------------------------------------------
    

    1 net-misc/asterisk < 1.8.15.1 >= 1.8.15.1

    Description

    Multiple vulnerabilities have been found in Asterisk:

    • An error in manager.c allows shell access (CVE-2012-2186).
    • An error in Asterisk could cause all RTP ports to be exhausted (CVE-2012-3812).
    • A double-free error could occur when two parties attempt to manipulate the same voicemail account simultaneously (CVE-2012-3863).
    • Asterisk does not properly implement certain ACL rules (CVE-2012-4737).

    Impact

    A remote, authenticated attacker could execute arbitrary code with the privileges of the process, cause a Denial of Service condition, or bypass outbound call restrictions.

    Workaround

    There is no known workaround at this time.

    Resolution

    All Asterisk users should upgrade to the latest version:

    # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/asterisk-1.8.15.1"

    References

    [ 1 ] CVE-2012-2186 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2186 [ 2 ] CVE-2012-3812 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3812 [ 3 ] CVE-2012-3863 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3863 [ 4 ] CVE-2012-4737 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4737

    Availability

    This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

    http://security.gentoo.org/glsa/glsa-201209-15.xml

    Concerns?

    Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

    License

    Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s).

    The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.

    http://creativecommons.org/licenses/by-sa/2.5 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1


    Debian Security Advisory DSA-2550-1 security@debian.org http://www.debian.org/security/ Moritz Muehlenhoff September 18, 2012 http://www.debian.org/security/faq


    Package : asterisk Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2012-2186 CVE-2012-3812 CVE-2012-3863 CVE-2012-4737

    Several vulnerabilities were discovered in Asterisk, a PBX and telephony toolkit, allowing privilege escalation in the Asterisk Manager, denial of service or privilege escalation.

    More detailed information can be found in the Asterisk advisories: http://downloads.asterisk.org/pub/security/AST-2012-010.html http://downloads.asterisk.org/pub/security/AST-2012-011.html http://downloads.asterisk.org/pub/security/AST-2012-012.html http://downloads.asterisk.org/pub/security/AST-2012-013.html

    For the stable distribution (squeeze), these problems have been fixed in version 1:1.6.2.9-2+squeeze7.

    For the testing distribution (wheezy) and the unstable distribution (sid), these problems have been fixed in version 1:1.8.13.1~dfsg-1.

    We recommend that you upgrade your asterisk packages.

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/

    Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux)

    iEYEARECAAYFAlBYrLoACgkQXm3vHE4uylqDBgCfTQnp2Z1XZSgJkg1L84SDPnjK muwAoOINdMCYMfcEc8spGQ7wrCWPKGaR =FRM+ -----END PGP SIGNATURE-----

    . ----------------------------------------------------------------------

    The final version of the CSI 6.0 has been released. Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/


    TITLE: Debian update for asterisk

    SECUNIA ADVISORY ID: SA50687

    VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/50687/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=50687

    RELEASE DATE: 2012-09-19

    DISCUSS ADVISORY: http://secunia.com/advisories/50687/#comments

    AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s)

    http://secunia.com/advisories/50687/

    ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS

    https://ca.secunia.com/?page=viewadvisory&vuln_id=50687

    ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING

    http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/

    DESCRIPTION: Debian has issued an update for asterisk.

    For more information: SA49814 SA50456

    SOLUTION: Apply updated packages via the apt-get package manager.

    ORIGINAL ADVISORY: DSA-2550-1: http://www.debian.org/security/2012/dsa-2550

    OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/

    DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/

    EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/

    EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/

    EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/


    About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities.

    Subscribe: http://secunia.com/advisories/secunia_security_advisories/

    Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/

    Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor.


    Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org


    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-201208-0619",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "open source",
            "scope": "eq",
            "trust": 1.6,
            "vendor": "asterisk",
            "version": "10.0.0"
          },
          {
            "model": "open source",
            "scope": "eq",
            "trust": 1.6,
            "vendor": "asterisk",
            "version": "1.8.5.0"
          },
          {
            "model": "open source",
            "scope": "eq",
            "trust": 1.6,
            "vendor": "asterisk",
            "version": "10.1.3"
          },
          {
            "model": "open source",
            "scope": "eq",
            "trust": 1.6,
            "vendor": "asterisk",
            "version": "1.8.5"
          },
          {
            "model": "open source",
            "scope": "eq",
            "trust": 1.6,
            "vendor": "asterisk",
            "version": "1.8.0"
          },
          {
            "model": "open source",
            "scope": "eq",
            "trust": 1.6,
            "vendor": "asterisk",
            "version": "10.2.0"
          },
          {
            "model": "certified asterisk",
            "scope": "eq",
            "trust": 1.3,
            "vendor": "asterisk",
            "version": "1.8.11"
          },
          {
            "model": "open source",
            "scope": "eq",
            "trust": 1.3,
            "vendor": "asterisk",
            "version": "1.8.3.1"
          },
          {
            "model": "open source",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "asterisk",
            "version": "1.8.1.1"
          },
          {
            "model": "open source",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "asterisk",
            "version": "1.8.1"
          },
          {
            "model": "open source",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "asterisk",
            "version": "1.8.4.3"
          },
          {
            "model": "open source",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "asterisk",
            "version": "1.8.9.3"
          },
          {
            "model": "open source",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "asterisk",
            "version": "1.8.7.1"
          },
          {
            "model": "open source",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "asterisk",
            "version": "1.8.2.2"
          },
          {
            "model": "digiumphones",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "asterisk",
            "version": "10.7.0"
          },
          {
            "model": "open source",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "asterisk",
            "version": "10.4.0"
          },
          {
            "model": "open source",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "asterisk",
            "version": "1.8.4"
          },
          {
            "model": "open source",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "asterisk",
            "version": "1.8.9.2"
          },
          {
            "model": "open source",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "asterisk",
            "version": "1.8.9.1"
          },
          {
            "model": "open source",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "asterisk",
            "version": "1.8.9.0"
          },
          {
            "model": "open source",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "asterisk",
            "version": "1.8.2.1"
          },
          {
            "model": "open source",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "asterisk",
            "version": "1.8.1.2"
          },
          {
            "model": "open source",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "asterisk",
            "version": "1.8.7"
          },
          {
            "model": "open source",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "asterisk",
            "version": "1.8.8.1"
          },
          {
            "model": "open source",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "asterisk",
            "version": "10.3"
          },
          {
            "model": "open source",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "asterisk",
            "version": "1.8.7.0"
          },
          {
            "model": "open source",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "asterisk",
            "version": "1.8.8.2"
          },
          {
            "model": "open source",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "asterisk",
            "version": "1.8.10.1"
          },
          {
            "model": "open source",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "asterisk",
            "version": "1.8.4.4"
          },
          {
            "model": "open source",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "asterisk",
            "version": "1.8.3.3"
          },
          {
            "model": "open source",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "asterisk",
            "version": "1.8.6.0"
          },
          {
            "model": "open source",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "asterisk",
            "version": "10.3.0"
          },
          {
            "model": "open source",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "asterisk",
            "version": "1.8.11.0"
          },
          {
            "model": "open source",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "asterisk",
            "version": "1.8.4.2"
          },
          {
            "model": "open source",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "asterisk",
            "version": "10.1.1"
          },
          {
            "model": "open source",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "asterisk",
            "version": "1.8.3"
          },
          {
            "model": "business edition",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "asterisk",
            "version": "c.3.7.5"
          },
          {
            "model": "open source",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "asterisk",
            "version": "1.8.10.0"
          },
          {
            "model": "open source",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "asterisk",
            "version": "1.8.11.1"
          },
          {
            "model": "open source",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "asterisk",
            "version": "1.8.2"
          },
          {
            "model": "open source",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "asterisk",
            "version": "1.8.2.4"
          },
          {
            "model": "open source",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "asterisk",
            "version": "1.8.8.0"
          },
          {
            "model": "open source",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "asterisk",
            "version": "1.8.12.0"
          },
          {
            "model": "open source",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "asterisk",
            "version": "10.1.0"
          },
          {
            "model": "open source",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "asterisk",
            "version": "1.8.3.2"
          },
          {
            "model": "open source",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "asterisk",
            "version": "1.8.4.1"
          },
          {
            "model": "open source",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "asterisk",
            "version": "10.0.1"
          },
          {
            "model": "open source",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "asterisk",
            "version": "1.8.7.2"
          },
          {
            "model": "open source",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "asterisk",
            "version": "10.3.1"
          },
          {
            "model": "asterisk",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "sangoma",
            "version": "10.7.0"
          },
          {
            "model": "open source",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "asterisk",
            "version": "1.8.2.3"
          },
          {
            "model": "open source",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "asterisk",
            "version": "10.1.2"
          },
          {
            "model": "open source",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "asterisk",
            "version": "10.2.1"
          },
          {
            "model": "business edition",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "asterisk",
            "version": "c.3.0"
          },
          {
            "model": "asterisk",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "sangoma",
            "version": "1.8.15.0"
          },
          {
            "model": "open source",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "asterisk",
            "version": "1.8.12"
          },
          {
            "model": "certified asterisk",
            "scope": "lte",
            "trust": 1.0,
            "vendor": "asterisk",
            "version": "1.8.11"
          },
          {
            "model": "asterisk open source",
            "scope": "eq",
            "trust": 0.8,
            "vendor": "digium",
            "version": "1.8.15.1"
          },
          {
            "model": "asterisk open source",
            "scope": "eq",
            "trust": 0.8,
            "vendor": "digium",
            "version": "10.7.1"
          },
          {
            "model": "certified asterisk",
            "scope": "eq",
            "trust": 0.8,
            "vendor": "digium",
            "version": "1.8.11-cert6"
          },
          {
            "model": "asterisk business edition",
            "scope": "lt",
            "trust": 0.8,
            "vendor": "digium",
            "version": "c.3.x"
          },
          {
            "model": "asterisk open source",
            "scope": "lt",
            "trust": 0.8,
            "vendor": "digium",
            "version": "1.8.x"
          },
          {
            "model": "asterisk business edition",
            "scope": "eq",
            "trust": 0.8,
            "vendor": "digium",
            "version": "c.3.7.6"
          },
          {
            "model": "certified asterisk",
            "scope": "lt",
            "trust": 0.8,
            "vendor": "digium",
            "version": "1.8.11"
          },
          {
            "model": "asterisk open source",
            "scope": "lt",
            "trust": 0.8,
            "vendor": "digium",
            "version": "10.x"
          },
          {
            "model": "asterisk with digiumphones",
            "scope": "lt",
            "trust": 0.8,
            "vendor": "digium",
            "version": "10.x.x-digiumphones"
          },
          {
            "model": "asterisk with digiumphones",
            "scope": "eq",
            "trust": 0.8,
            "vendor": "digium",
            "version": "10.7.1-digiumphones"
          },
          {
            "model": "linux",
            "scope": null,
            "trust": 0.3,
            "vendor": "gentoo",
            "version": null
          },
          {
            "model": "linux sparc",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "debian",
            "version": "6.0"
          },
          {
            "model": "linux s/390",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "debian",
            "version": "6.0"
          },
          {
            "model": "linux powerpc",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "debian",
            "version": "6.0"
          },
          {
            "model": "linux mips",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "debian",
            "version": "6.0"
          },
          {
            "model": "linux ia-64",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "debian",
            "version": "6.0"
          },
          {
            "model": "linux ia-32",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "debian",
            "version": "6.0"
          },
          {
            "model": "linux arm",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "debian",
            "version": "6.0"
          },
          {
            "model": "linux amd64",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "debian",
            "version": "6.0"
          },
          {
            "model": "open source",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "asterisk",
            "version": "10.7"
          },
          {
            "model": "open source",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "asterisk",
            "version": "1.6.2.17.1"
          },
          {
            "model": "open source",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "asterisk",
            "version": "1.6.1.23"
          },
          {
            "model": "digiumphones 10.5.2-digiumphones",
            "scope": null,
            "trust": 0.3,
            "vendor": "asterisk",
            "version": null
          },
          {
            "model": "digiumphones 10.5.1-digiumphones",
            "scope": null,
            "trust": 0.3,
            "vendor": "asterisk",
            "version": null
          },
          {
            "model": "business edition c.3.7.5",
            "scope": null,
            "trust": 0.3,
            "vendor": "asterisk",
            "version": null
          },
          {
            "model": "business edition c.3.7.4",
            "scope": null,
            "trust": 0.3,
            "vendor": "asterisk",
            "version": null
          },
          {
            "model": "business edition c.3.7.3",
            "scope": null,
            "trust": 0.3,
            "vendor": "asterisk",
            "version": null
          },
          {
            "model": "business edition c.3.6.4",
            "scope": null,
            "trust": 0.3,
            "vendor": "asterisk",
            "version": null
          },
          {
            "model": "business edition c.3.6.3",
            "scope": null,
            "trust": 0.3,
            "vendor": "asterisk",
            "version": null
          },
          {
            "model": "business edition c.3.6.2",
            "scope": null,
            "trust": 0.3,
            "vendor": "asterisk",
            "version": null
          },
          {
            "model": "business edition c.3.3.2",
            "scope": null,
            "trust": 0.3,
            "vendor": "asterisk",
            "version": null
          },
          {
            "model": "business edition c.3.2",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "asterisk",
            "version": "3"
          },
          {
            "model": "business edition c.3.2",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "asterisk",
            "version": "2"
          },
          {
            "model": "business edition c.3.1.0",
            "scope": null,
            "trust": 0.3,
            "vendor": "asterisk",
            "version": null
          },
          {
            "model": "business edition c.3.1",
            "scope": "eq",
            "trust": 0.3,
            "vendor": "asterisk",
            "version": "1"
          },
          {
            "model": "certified asterisk 1.8.11-cert6",
            "scope": "ne",
            "trust": 0.3,
            "vendor": "asterisk",
            "version": null
          },
          {
            "model": "open source",
            "scope": "ne",
            "trust": 0.3,
            "vendor": "asterisk",
            "version": "10.7.1"
          },
          {
            "model": "open source",
            "scope": "ne",
            "trust": 0.3,
            "vendor": "asterisk",
            "version": "1.8.15.1"
          },
          {
            "model": "digiumphones 10.7.1-digiumphones",
            "scope": "ne",
            "trust": 0.3,
            "vendor": "asterisk",
            "version": null
          },
          {
            "model": "business edition c.3.7.6",
            "scope": "ne",
            "trust": 0.3,
            "vendor": "asterisk",
            "version": null
          }
        ],
        "sources": [
          {
            "db": "BID",
            "id": "55351"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2012-004020"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201208-683"
          },
          {
            "db": "NVD",
            "id": "CVE-2012-2186"
          }
        ]
      },
      "configurations": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/configurations#",
          "children": {
            "@container": "@list"
          },
          "cpe_match": {
            "@container": "@list"
          },
          "data": {
            "@container": "@list"
          },
          "nodes": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "CVE_data_version": "4.0",
            "nodes": [
              {
                "cpe_match": [
                  {
                    "cpe22Uri": "cpe:/a:digium:asterisk_business_edition",
                    "vulnerable": true
                  },
                  {
                    "cpe22Uri": "cpe:/a:digium:open_source",
                    "vulnerable": true
                  },
                  {
                    "cpe22Uri": "cpe:/a:digium:asterisk_digiumphones",
                    "vulnerable": true
                  },
                  {
                    "cpe22Uri": "cpe:/a:digium:certified_asterisk",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2012-004020"
          }
        ]
      },
      "credits": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/credits#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Zubair Ashraf of IBM X-Force Research",
        "sources": [
          {
            "db": "BID",
            "id": "55351"
          }
        ],
        "trust": 0.3
      },
      "cve": "CVE-2012-2186",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [
              {
                "accessComplexity": "LOW",
                "accessVector": "NETWORK",
                "authentication": "SINGLE",
                "author": "nvd@nist.gov",
                "availabilityImpact": "COMPLETE",
                "baseScore": 9.0,
                "confidentialityImpact": "COMPLETE",
                "exploitabilityScore": 8.0,
                "id": "CVE-2012-2186",
                "impactScore": 10.0,
                "integrityImpact": "COMPLETE",
                "severity": "HIGH",
                "trust": 1.8,
                "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
                "version": "2.0"
              }
            ],
            "cvssV3": [],
            "severity": [
              {
                "author": "nvd@nist.gov",
                "id": "CVE-2012-2186",
                "trust": 1.0,
                "value": "HIGH"
              },
              {
                "author": "NVD",
                "id": "CVE-2012-2186",
                "trust": 0.8,
                "value": "High"
              },
              {
                "author": "CNNVD",
                "id": "CNNVD-201208-683",
                "trust": 0.6,
                "value": "CRITICAL"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2012-004020"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201208-683"
          },
          {
            "db": "NVD",
            "id": "CVE-2012-2186"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Incomplete blacklist vulnerability in main/manager.c in Asterisk Open Source 1.8.x before 1.8.15.1 and 10.x before 10.7.1, Certified Asterisk 1.8.11 before 1.8.11-cert6, Asterisk Digiumphones 10.x.x-digiumphones before 10.7.1-digiumphones, and Asterisk Business Edition C.3.x before C.3.7.6 allows remote authenticated users to execute arbitrary commands by leveraging originate privileges and providing an ExternalIVR value in an AMI Originate action. Asterisk is prone to a security-bypass vulnerability that affects the manager interface. \nAn attacker can exploit this issue to bypass certain security restrictions and execute shell commands within the context of the affected application.                Asterisk Project Security Advisory - AST-2012-012\n\n          Product         Asterisk                                            \n          Summary         Asterisk Manager User Unauthorized Shell Access     \n     Nature of Advisory   Permission Escalation                               \n       Susceptibility     Remote Authenticated Sessions                       \n          Severity        Minor                                               \n       Exploits Known     No                                                  \n        Reported On       July 13, 2012                                       \n        Reported By       Zubair Ashraf of IBM X-Force Research               \n         Posted On        August 30, 2012                                     \n      Last Updated On     August 30, 2012                                     \n      Advisory Contact    Matt Jordan \u003c mjordan AT digium DOT com \u003e           \n          CVE Name        CVE-2012-2186                                       \n\n    Description  The AMI Originate action can allow a remote user to specify  \n                 information that can be used to execute shell commands on    \n                 the system hosting Asterisk. This can result in an unwanted  \n                 escalation of permissions, as the Originate action, which    \n                 requires the \"originate\" class authorization, can be used    \n                 to perform actions that would typically require the          \n                 \"system\" class authorization. Previous attempts to prevent   \n                 this permission escalation (AST-2011-006, AST-2012-004)      \n                 have sought to do so by inspecting the names of              \n                 applications and functions passed in with the Originate      \n                 action and, if those applications/functions matched a        \n                 predefined set of values, rejecting the command if the user  \n                 lacked the \"system\" class authorization. As reported by IBM  \n                 X-Force Research, the \"ExternalIVR\" application is not       \n                 listed in the predefined set of values. The solution for     \n                 this particular vulnerability is to include the              \n                 \"ExternalIVR\" application in the set of defined              \n                 applications/functions that require \"system\" class           \n                 authorization.                                               \n                                                                              \n                 Unfortunately, the approach of inspecting fields in the      \n                 Originate action against known applications/functions has a  \n                 significant flaw. The predefined set of values can be        \n                 bypassed by creative use of the Originate action or by       \n                 certain dialplan configurations, which is beyond the         \n                 ability of Asterisk to analyze at run-time. Attempting to    \n                 work around these scenarios would result in severely         \n                 restricting the applications or functions and prevent their  \n                 usage for legitimate means. As such, any additional          \n                 security vulnerabilities, where an application/function      \n                 that would normally require the \"system\" class               \n                 authorization can be executed by users with the \"originate\"  \n                 class authorization, will not be addressed. Proper system configuration can limit the impact   \n                 of such scenarios.                                           \n                                                                              \n                 The next release of each version of Asterisk will contain,   \n                 in addition to the fix for the \"ExternalIVR\" application,    \n                 an updated README-SERIOUSLY.bestpractices.txt file.          \n\n    Resolution  Asterisk now checks for the \"ExternalIVR\" application when    \n                processing the Originate action.                              \n                                                                              \n                Additionally, the README-SERIOUSLY.bestpractices.txt file     \n                has been updated. It is highly recommended that, if AMI is    \n                utilized with accounts that have the \"originate\" class        \n                authorization, Asterisk is run under a defined user that      \n                does not have root permissions. Accounts with the             \n                \"originate\" class authorization should be treated in a        \n                similar manner to those with the \"system\" class               \n                authorization. All Rights Reserved. \n  Permission is hereby granted to distribute and publish this advisory in its\n                           original, unaltered form. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nGentoo Linux Security Advisory                           GLSA 201209-15\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n                                            http://security.gentoo.org/\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n Severity: Normal\n    Title: Asterisk: Multiple vulnerabilities\n     Date: September 26, 2012\n     Bugs: #425050, #433750\n       ID: 201209-15\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\nSynopsis\n========\n\nMultiple vulnerabilities have been found in Asterisk, the worst of\nwhich may allow execution of arbitrary code. \n\nBackground\n==========\n\nAsterisk is an open source telephony engine and toolkit. \n\nAffected packages\n=================\n\n    -------------------------------------------------------------------\n     Package              /     Vulnerable     /            Unaffected\n    -------------------------------------------------------------------\n  1  net-misc/asterisk           \u003c 1.8.15.1               \u003e= 1.8.15.1\n\nDescription\n===========\n\nMultiple vulnerabilities have been found in Asterisk:\n\n* An error in manager.c allows shell access (CVE-2012-2186). \n* An error in Asterisk could cause all RTP ports to be exhausted\n  (CVE-2012-3812). \n* A double-free error could occur when two parties attempt to\n  manipulate the same voicemail account simultaneously (CVE-2012-3863). \n* Asterisk does not properly implement certain ACL rules\n  (CVE-2012-4737). \n\nImpact\n======\n\nA remote, authenticated attacker could execute arbitrary code with the\nprivileges of the process, cause a Denial of Service condition, or\nbypass outbound call restrictions. \n\nWorkaround\n==========\n\nThere is no known workaround at this time. \n\nResolution\n==========\n\nAll Asterisk users should upgrade to the latest version:\n\n  # emerge --sync\n  # emerge --ask --oneshot --verbose \"\u003e=net-misc/asterisk-1.8.15.1\"\n\nReferences\n==========\n\n[ 1 ] CVE-2012-2186\n      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2186\n[ 2 ] CVE-2012-3812\n      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3812\n[ 3 ] CVE-2012-3863\n      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3863\n[ 4 ] CVE-2012-4737\n      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4737\n\nAvailability\n============\n\nThis GLSA and any updates to it are available for viewing at\nthe Gentoo Security Website:\n\n http://security.gentoo.org/glsa/glsa-201209-15.xml\n\nConcerns?\n=========\n\nSecurity is a primary focus of Gentoo Linux and ensuring the\nconfidentiality and security of our users\u0027 machines is of utmost\nimportance to us. Any security concerns should be addressed to\nsecurity@gentoo.org or alternatively, you may file a bug at\nhttps://bugs.gentoo.org. \n\nLicense\n=======\n\nCopyright 2012 Gentoo Foundation, Inc; referenced text\nbelongs to its owner(s). \n\nThe contents of this document are licensed under the\nCreative Commons - Attribution / Share Alike license. \n\nhttp://creativecommons.org/licenses/by-sa/2.5\n. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\n- -------------------------------------------------------------------------\nDebian Security Advisory DSA-2550-1                   security@debian.org\nhttp://www.debian.org/security/                        Moritz Muehlenhoff\nSeptember 18, 2012                     http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage        : asterisk\nVulnerability  : several\nProblem type   : remote\nDebian-specific: no\nCVE ID         : CVE-2012-2186 CVE-2012-3812 CVE-2012-3863 CVE-2012-4737\n\nSeveral vulnerabilities were discovered in Asterisk, a PBX and telephony \ntoolkit, allowing privilege escalation in the Asterisk Manager, denial of\nservice or privilege escalation. \n\nMore detailed information can be found in the Asterisk advisories:\nhttp://downloads.asterisk.org/pub/security/AST-2012-010.html \nhttp://downloads.asterisk.org/pub/security/AST-2012-011.html \nhttp://downloads.asterisk.org/pub/security/AST-2012-012.html \nhttp://downloads.asterisk.org/pub/security/AST-2012-013.html \n\nFor the stable distribution (squeeze), these problems have been fixed in\nversion 1:1.6.2.9-2+squeeze7. \n\nFor the testing distribution (wheezy) and the unstable distribution (sid), \nthese problems have been fixed in version 1:1.8.13.1~dfsg-1. \n\nWe recommend that you upgrade your asterisk packages. \n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: http://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.4.12 (GNU/Linux)\n\niEYEARECAAYFAlBYrLoACgkQXm3vHE4uylqDBgCfTQnp2Z1XZSgJkg1L84SDPnjK\nmuwAoOINdMCYMfcEc8spGQ7wrCWPKGaR\n=FRM+\n-----END PGP SIGNATURE-----\n\n\n. ----------------------------------------------------------------------\n\nThe final version of the CSI 6.0 has been released. \nFind out why this is not just another Patch Management solution: http://secunia.com/blog/325/\n\n----------------------------------------------------------------------\n\nTITLE:\nDebian update for asterisk\n\nSECUNIA ADVISORY ID:\nSA50687\n\nVERIFY ADVISORY:\nSecunia.com\nhttp://secunia.com/advisories/50687/\nCustomer Area (Credentials Required)\nhttps://ca.secunia.com/?page=viewadvisory\u0026vuln_id=50687\n\nRELEASE DATE:\n2012-09-19\n\nDISCUSS ADVISORY:\nhttp://secunia.com/advisories/50687/#comments\n\nAVAILABLE ON SITE AND IN CUSTOMER AREA:\n * Last Update\n * Popularity\n * Comments\n * Criticality Level\n * Impact\n * Where\n * Solution Status\n * Operating System / Software\n * CVE Reference(s)\n\nhttp://secunia.com/advisories/50687/\n\nONLY AVAILABLE IN CUSTOMER AREA:\n * Authentication Level\n * Report Reliability\n * Secunia PoC\n * Secunia Analysis\n * Systems Affected\n * Approve Distribution\n * Remediation Status\n * Secunia CVSS Score\n * CVSS\n\nhttps://ca.secunia.com/?page=viewadvisory\u0026vuln_id=50687\n\nONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:\n * AUTOMATED SCANNING\n\nhttp://secunia.com/vulnerability_scanning/personal/\nhttp://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/\n\nDESCRIPTION:\nDebian has issued an update for asterisk. \n\nFor more information:\nSA49814\nSA50456\n\nSOLUTION:\nApply updated packages via the apt-get package manager. \n\nORIGINAL ADVISORY:\nDSA-2550-1:\nhttp://www.debian.org/security/2012/dsa-2550\n\nOTHER REFERENCES:\nFurther details available in Customer Area:\nhttp://secunia.com/vulnerability_intelligence/\n\nDEEP LINKS:\nFurther details available in Customer Area:\nhttp://secunia.com/vulnerability_intelligence/\n\nEXTENDED DESCRIPTION:\nFurther details available in Customer Area:\nhttp://secunia.com/vulnerability_intelligence/\n\nEXTENDED SOLUTION:\nFurther details available in Customer Area:\nhttp://secunia.com/vulnerability_intelligence/\n\nEXPLOIT:\nFurther details available in Customer Area:\nhttp://secunia.com/vulnerability_intelligence/\n\n----------------------------------------------------------------------\n\nAbout:\nThis Advisory was delivered by Secunia as a free service to help\nprivate users keeping their systems up to date against the latest\nvulnerabilities. \n\nSubscribe:\nhttp://secunia.com/advisories/secunia_security_advisories/\n\nDefinitions: (Criticality, Where etc.)\nhttp://secunia.com/advisories/about_secunia_advisories/\n\n\nPlease Note:\nSecunia recommends that you verify all advisories you receive by\nclicking the link. \nSecunia NEVER sends attached files with advisories. \nSecunia does not advise people to install third party patches, only\nuse those supplied by the vendor. \n\n----------------------------------------------------------------------\n\nUnsubscribe: Secunia Security Advisories\nhttp://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org\n\n----------------------------------------------------------------------\n\n\n",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2012-2186"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2012-004020"
          },
          {
            "db": "BID",
            "id": "55351"
          },
          {
            "db": "PACKETSTORM",
            "id": "116096"
          },
          {
            "db": "PACKETSTORM",
            "id": "116914"
          },
          {
            "db": "PACKETSTORM",
            "id": "116960"
          },
          {
            "db": "PACKETSTORM",
            "id": "116896"
          },
          {
            "db": "PACKETSTORM",
            "id": "116646"
          },
          {
            "db": "PACKETSTORM",
            "id": "116705"
          }
        ],
        "trust": 2.43
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2012-2186",
            "trust": 3.1
          },
          {
            "db": "SECUNIA",
            "id": "50756",
            "trust": 1.1
          },
          {
            "db": "SECUNIA",
            "id": "50687",
            "trust": 1.1
          },
          {
            "db": "SECTRACK",
            "id": "1027460",
            "trust": 1.0
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2012-004020",
            "trust": 0.8
          },
          {
            "db": "NSFOCUS",
            "id": "20761",
            "trust": 0.6
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201208-683",
            "trust": 0.6
          },
          {
            "db": "BID",
            "id": "55351",
            "trust": 0.3
          },
          {
            "db": "PACKETSTORM",
            "id": "116096",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "116914",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "116960",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "116896",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "116646",
            "trust": 0.1
          },
          {
            "db": "PACKETSTORM",
            "id": "116705",
            "trust": 0.1
          }
        ],
        "sources": [
          {
            "db": "BID",
            "id": "55351"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2012-004020"
          },
          {
            "db": "PACKETSTORM",
            "id": "116096"
          },
          {
            "db": "PACKETSTORM",
            "id": "116914"
          },
          {
            "db": "PACKETSTORM",
            "id": "116960"
          },
          {
            "db": "PACKETSTORM",
            "id": "116896"
          },
          {
            "db": "PACKETSTORM",
            "id": "116646"
          },
          {
            "db": "PACKETSTORM",
            "id": "116705"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201208-683"
          },
          {
            "db": "NVD",
            "id": "CVE-2012-2186"
          }
        ]
      },
      "id": "VAR-201208-0619",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VARIoT devices database",
            "id": null
          }
        ],
        "trust": 0.348297215
      },
      "last_update_date": "2025-04-11T23:08:50.009000Z",
      "patch": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/patch#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "title": "AST-2012-012",
            "trust": 0.8,
            "url": "http://downloads.asterisk.org/pub/security/AST-2012-012.html"
          },
          {
            "title": "DSA-2550",
            "trust": 0.8,
            "url": "http://www.debian.org/security/2012/dsa-2550"
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2012-004020"
          }
        ]
      },
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "NVD-CWE-Other",
            "trust": 1.0
          },
          {
            "problemtype": "CWE-nocwe",
            "trust": 0.8
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2012-004020"
          },
          {
            "db": "NVD",
            "id": "CVE-2012-2186"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 1.7,
            "url": "http://downloads.asterisk.org/pub/security/ast-2012-012.html"
          },
          {
            "trust": 1.1,
            "url": "http://www.debian.org/security/2012/dsa-2550"
          },
          {
            "trust": 1.0,
            "url": "http://secunia.com/advisories/50756"
          },
          {
            "trust": 1.0,
            "url": "http://www.securitytracker.com/id?1027460"
          },
          {
            "trust": 1.0,
            "url": "http://secunia.com/advisories/50687"
          },
          {
            "trust": 0.8,
            "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-2186"
          },
          {
            "trust": 0.8,
            "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2012-2186"
          },
          {
            "trust": 0.6,
            "url": "http://www.nsfocus.net/vulndb/20761"
          },
          {
            "trust": 0.4,
            "url": "https://issues.asterisk.org/jira/browse/asterisk-20132"
          },
          {
            "trust": 0.4,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2012-2186"
          },
          {
            "trust": 0.3,
            "url": "http://www.asterisk.org/"
          },
          {
            "trust": 0.3,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2012-3812"
          },
          {
            "trust": 0.3,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2012-4737"
          },
          {
            "trust": 0.3,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2012-3863"
          },
          {
            "trust": 0.2,
            "url": "http://secunia.com/vulnerability_intelligence/"
          },
          {
            "trust": 0.2,
            "url": "http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/"
          },
          {
            "trust": 0.2,
            "url": "http://secunia.com/advisories/secunia_security_advisories/"
          },
          {
            "trust": 0.2,
            "url": "http://secunia.com/vulnerability_scanning/personal/"
          },
          {
            "trust": 0.2,
            "url": "http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org"
          },
          {
            "trust": 0.2,
            "url": "http://secunia.com/blog/325/"
          },
          {
            "trust": 0.2,
            "url": "http://secunia.com/advisories/about_secunia_advisories/"
          },
          {
            "trust": 0.2,
            "url": "http://www.debian.org/security/faq"
          },
          {
            "trust": 0.2,
            "url": "http://www.debian.org/security/"
          },
          {
            "trust": 0.1,
            "url": "http://downloads.digium.com/pub/security/ast-2012-012.pdf"
          },
          {
            "trust": 0.1,
            "url": "http://downloads.digium.com/pub/security/ast-2012-012.html"
          },
          {
            "trust": 0.1,
            "url": "http://www.asterisk.org/security"
          },
          {
            "trust": 0.1,
            "url": "http://downloads.asterisk.org/pub/security/ast-2012-012-1.8.diff"
          },
          {
            "trust": 0.1,
            "url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2012-3863"
          },
          {
            "trust": 0.1,
            "url": "http://creativecommons.org/licenses/by-sa/2.5"
          },
          {
            "trust": 0.1,
            "url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2012-2186"
          },
          {
            "trust": 0.1,
            "url": "https://bugs.gentoo.org."
          },
          {
            "trust": 0.1,
            "url": "http://security.gentoo.org/glsa/glsa-201209-15.xml"
          },
          {
            "trust": 0.1,
            "url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2012-3812"
          },
          {
            "trust": 0.1,
            "url": "http://security.gentoo.org/"
          },
          {
            "trust": 0.1,
            "url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2012-4737"
          },
          {
            "trust": 0.1,
            "url": "http://secunia.com/advisories/50756/#comments"
          },
          {
            "trust": 0.1,
            "url": "http://secunia.com/advisories/50756/"
          },
          {
            "trust": 0.1,
            "url": "https://ca.secunia.com/?page=viewadvisory\u0026vuln_id=50756"
          },
          {
            "trust": 0.1,
            "url": "http://www.gentoo.org/security/en/glsa/glsa-201209-15.xml"
          },
          {
            "trust": 0.1,
            "url": "http://downloads.asterisk.org/pub/security/ast-2012-011.html"
          },
          {
            "trust": 0.1,
            "url": "http://downloads.asterisk.org/pub/security/ast-2012-010.html"
          },
          {
            "trust": 0.1,
            "url": "http://downloads.asterisk.org/pub/security/ast-2012-013.html"
          },
          {
            "trust": 0.1,
            "url": "https://ca.secunia.com/?page=viewadvisory\u0026vuln_id=50687"
          },
          {
            "trust": 0.1,
            "url": "http://secunia.com/advisories/50687/#comments"
          },
          {
            "trust": 0.1,
            "url": "http://secunia.com/advisories/50687/"
          }
        ],
        "sources": [
          {
            "db": "BID",
            "id": "55351"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2012-004020"
          },
          {
            "db": "PACKETSTORM",
            "id": "116096"
          },
          {
            "db": "PACKETSTORM",
            "id": "116914"
          },
          {
            "db": "PACKETSTORM",
            "id": "116960"
          },
          {
            "db": "PACKETSTORM",
            "id": "116896"
          },
          {
            "db": "PACKETSTORM",
            "id": "116646"
          },
          {
            "db": "PACKETSTORM",
            "id": "116705"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201208-683"
          },
          {
            "db": "NVD",
            "id": "CVE-2012-2186"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "BID",
            "id": "55351"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2012-004020"
          },
          {
            "db": "PACKETSTORM",
            "id": "116096"
          },
          {
            "db": "PACKETSTORM",
            "id": "116914"
          },
          {
            "db": "PACKETSTORM",
            "id": "116960"
          },
          {
            "db": "PACKETSTORM",
            "id": "116896"
          },
          {
            "db": "PACKETSTORM",
            "id": "116646"
          },
          {
            "db": "PACKETSTORM",
            "id": "116705"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201208-683"
          },
          {
            "db": "NVD",
            "id": "CVE-2012-2186"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2012-08-30T00:00:00",
            "db": "BID",
            "id": "55351"
          },
          {
            "date": "2012-09-03T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2012-004020"
          },
          {
            "date": "2012-08-30T21:46:42",
            "db": "PACKETSTORM",
            "id": "116096"
          },
          {
            "date": "2012-09-27T00:09:12",
            "db": "PACKETSTORM",
            "id": "116914"
          },
          {
            "date": "2012-09-28T03:46:47",
            "db": "PACKETSTORM",
            "id": "116960"
          },
          {
            "date": "2012-09-26T22:17:20",
            "db": "PACKETSTORM",
            "id": "116896"
          },
          {
            "date": "2012-09-19T07:22:56",
            "db": "PACKETSTORM",
            "id": "116646"
          },
          {
            "date": "2012-09-19T10:31:08",
            "db": "PACKETSTORM",
            "id": "116705"
          },
          {
            "date": "2012-08-31T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-201208-683"
          },
          {
            "date": "2012-08-31T14:55:00.950000",
            "db": "NVD",
            "id": "CVE-2012-2186"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2015-04-13T22:13:00",
            "db": "BID",
            "id": "55351"
          },
          {
            "date": "2012-11-08T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2012-004020"
          },
          {
            "date": "2012-09-05T00:00:00",
            "db": "CNNVD",
            "id": "CNNVD-201208-683"
          },
          {
            "date": "2025-04-11T00:51:21.963000",
            "db": "NVD",
            "id": "CVE-2012-2186"
          }
        ]
      },
      "threat_type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "remote",
        "sources": [
          {
            "db": "PACKETSTORM",
            "id": "116096"
          },
          {
            "db": "CNNVD",
            "id": "CNNVD-201208-683"
          }
        ],
        "trust": 0.7
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "plural  Asterisk Product of  main/manager.c Vulnerable to arbitrary command execution",
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2012-004020"
          }
        ],
        "trust": 0.8
      },
      "type": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/type#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "Access Validation Error",
        "sources": [
          {
            "db": "BID",
            "id": "55351"
          }
        ],
        "trust": 0.3
      }
    }

    CVE-2013-2686 (GCVE-0-2013-2686)

    Vulnerability from nvd – Published: 2013-03-29 18:00 – Updated: 2024-09-16 22:35
    VLAI
    Summary
    main/http.c in the HTTP server in Asterisk Open Source 1.8.x before 1.8.20.2, 10.x before 10.12.2, and 11.x before 11.2.2; Certified Asterisk 1.8.15 before 1.8.15-cert2; and Asterisk Digiumphones 10.x-digiumphones before 10.12.2-digiumphones does not properly restrict Content-Length values, which allows remote attackers to conduct stack-consumption attacks and cause a denial of service (daemon crash) via a crafted HTTP POST request. NOTE: this vulnerability exists because of an incorrect fix for CVE-2012-5976.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T15:44:33.209Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://issues.asterisk.org/jira/browse/ASTERISK-20967"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "http://telussecuritylabs.com/threats/show/TSL20130327-01"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "http://downloads.asterisk.org/pub/security/AST-2013-002.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "main/http.c in the HTTP server in Asterisk Open Source 1.8.x before 1.8.20.2, 10.x before 10.12.2, and 11.x before 11.2.2; Certified Asterisk 1.8.15 before 1.8.15-cert2; and Asterisk Digiumphones 10.x-digiumphones before 10.12.2-digiumphones does not properly restrict Content-Length values, which allows remote attackers to conduct stack-consumption attacks and cause a denial of service (daemon crash) via a crafted HTTP POST request.  NOTE: this vulnerability exists because of an incorrect fix for CVE-2012-5976."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2013-03-29T18:00:00.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://issues.asterisk.org/jira/browse/ASTERISK-20967"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "http://telussecuritylabs.com/threats/show/TSL20130327-01"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "http://downloads.asterisk.org/pub/security/AST-2013-002.html"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2013-2686",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "main/http.c in the HTTP server in Asterisk Open Source 1.8.x before 1.8.20.2, 10.x before 10.12.2, and 11.x before 11.2.2; Certified Asterisk 1.8.15 before 1.8.15-cert2; and Asterisk Digiumphones 10.x-digiumphones before 10.12.2-digiumphones does not properly restrict Content-Length values, which allows remote attackers to conduct stack-consumption attacks and cause a denial of service (daemon crash) via a crafted HTTP POST request.  NOTE: this vulnerability exists because of an incorrect fix for CVE-2012-5976."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://issues.asterisk.org/jira/browse/ASTERISK-20967",
                  "refsource": "CONFIRM",
                  "url": "https://issues.asterisk.org/jira/browse/ASTERISK-20967"
                },
                {
                  "name": "http://telussecuritylabs.com/threats/show/TSL20130327-01",
                  "refsource": "MISC",
                  "url": "http://telussecuritylabs.com/threats/show/TSL20130327-01"
                },
                {
                  "name": "http://downloads.asterisk.org/pub/security/AST-2013-002.html",
                  "refsource": "CONFIRM",
                  "url": "http://downloads.asterisk.org/pub/security/AST-2013-002.html"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2013-2686",
        "datePublished": "2013-03-29T18:00:00.000Z",
        "dateReserved": "2013-03-25T00:00:00.000Z",
        "dateUpdated": "2024-09-16T22:35:02.870Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2013-2264 (GCVE-0-2013-2264)

    Vulnerability from nvd – Published: 2013-03-29 18:00 – Updated: 2024-09-16 17:38
    VLAI
    Summary
    The SIP channel driver in Asterisk Open Source 1.8.x before 1.8.20.2, 10.x before 10.12.2, and 11.x before 11.2.2; Certified Asterisk 1.8.15 before 1.8.15-cert2; Asterisk Business Edition (BE) C.3.x before C.3.8.1; and Asterisk Digiumphones 10.x-digiumphones before 10.12.2-digiumphones exhibits different behavior for invalid INVITE, SUBSCRIBE, and REGISTER transactions depending on whether the user account exists, which allows remote attackers to enumerate account names by (1) reading HTTP status codes, (2) reading additional text in a 403 (aka Forbidden) response, or (3) observing whether certain retransmissions occur.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T15:27:41.188Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "http://downloads.asterisk.org/pub/security/AST-2013-003.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://issues.asterisk.org/jira/browse/ASTERISK-21013"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The SIP channel driver in Asterisk Open Source 1.8.x before 1.8.20.2, 10.x before 10.12.2, and 11.x before 11.2.2; Certified Asterisk 1.8.15 before 1.8.15-cert2; Asterisk Business Edition (BE) C.3.x before C.3.8.1; and Asterisk Digiumphones 10.x-digiumphones before 10.12.2-digiumphones exhibits different behavior for invalid INVITE, SUBSCRIBE, and REGISTER transactions depending on whether the user account exists, which allows remote attackers to enumerate account names by (1) reading HTTP status codes, (2) reading additional text in a 403 (aka Forbidden) response, or (3) observing whether certain retransmissions occur."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2013-03-29T18:00:00.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "http://downloads.asterisk.org/pub/security/AST-2013-003.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://issues.asterisk.org/jira/browse/ASTERISK-21013"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2013-2264",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The SIP channel driver in Asterisk Open Source 1.8.x before 1.8.20.2, 10.x before 10.12.2, and 11.x before 11.2.2; Certified Asterisk 1.8.15 before 1.8.15-cert2; Asterisk Business Edition (BE) C.3.x before C.3.8.1; and Asterisk Digiumphones 10.x-digiumphones before 10.12.2-digiumphones exhibits different behavior for invalid INVITE, SUBSCRIBE, and REGISTER transactions depending on whether the user account exists, which allows remote attackers to enumerate account names by (1) reading HTTP status codes, (2) reading additional text in a 403 (aka Forbidden) response, or (3) observing whether certain retransmissions occur."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "http://downloads.asterisk.org/pub/security/AST-2013-003.html",
                  "refsource": "CONFIRM",
                  "url": "http://downloads.asterisk.org/pub/security/AST-2013-003.html"
                },
                {
                  "name": "https://issues.asterisk.org/jira/browse/ASTERISK-21013",
                  "refsource": "CONFIRM",
                  "url": "https://issues.asterisk.org/jira/browse/ASTERISK-21013"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2013-2264",
        "datePublished": "2013-03-29T18:00:00.000Z",
        "dateReserved": "2013-02-20T00:00:00.000Z",
        "dateUpdated": "2024-09-16T17:38:10.972Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2012-2186 (GCVE-0-2012-2186)

    Vulnerability from nvd – Published: 2012-08-31 14:00 – Updated: 2024-08-06 19:26
    VLAI
    Summary
    Incomplete blacklist vulnerability in main/manager.c in Asterisk Open Source 1.8.x before 1.8.15.1 and 10.x before 10.7.1, Certified Asterisk 1.8.11 before 1.8.11-cert6, Asterisk Digiumphones 10.x.x-digiumphones before 10.7.1-digiumphones, and Asterisk Business Edition C.3.x before C.3.7.6 allows remote authenticated users to execute arbitrary commands by leveraging originate privileges and providing an ExternalIVR value in an AMI Originate action.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    ibm
    References
    URL Tags
    http://secunia.com/advisories/50687 third-party-advisoryx_refsource_SECUNIA
    http://secunia.com/advisories/50756 third-party-advisoryx_refsource_SECUNIA
    http://www.debian.org/security/2012/dsa-2550 vendor-advisoryx_refsource_DEBIAN
    http://downloads.asterisk.org/pub/security/AST-20… x_refsource_CONFIRM
    http://www.securitytracker.com/id?1027460 vdb-entryx_refsource_SECTRACK
    Date Public
    2012-08-30 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T19:26:08.975Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "50687",
                "tags": [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
                  "x_transferred"
                ],
                "url": "http://secunia.com/advisories/50687"
              },
              {
                "name": "50756",
                "tags": [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
                  "x_transferred"
                ],
                "url": "http://secunia.com/advisories/50756"
              },
              {
                "name": "DSA-2550",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "http://www.debian.org/security/2012/dsa-2550"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "http://downloads.asterisk.org/pub/security/AST-2012-012.html"
              },
              {
                "name": "1027460",
                "tags": [
                  "vdb-entry",
                  "x_refsource_SECTRACK",
                  "x_transferred"
                ],
                "url": "http://www.securitytracker.com/id?1027460"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2012-08-30T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Incomplete blacklist vulnerability in main/manager.c in Asterisk Open Source 1.8.x before 1.8.15.1 and 10.x before 10.7.1, Certified Asterisk 1.8.11 before 1.8.11-cert6, Asterisk Digiumphones 10.x.x-digiumphones before 10.7.1-digiumphones, and Asterisk Business Edition C.3.x before C.3.7.6 allows remote authenticated users to execute arbitrary commands by leveraging originate privileges and providing an ExternalIVR value in an AMI Originate action."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2012-10-31T09:00:00.000Z",
            "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
            "shortName": "ibm"
          },
          "references": [
            {
              "name": "50687",
              "tags": [
                "third-party-advisory",
                "x_refsource_SECUNIA"
              ],
              "url": "http://secunia.com/advisories/50687"
            },
            {
              "name": "50756",
              "tags": [
                "third-party-advisory",
                "x_refsource_SECUNIA"
              ],
              "url": "http://secunia.com/advisories/50756"
            },
            {
              "name": "DSA-2550",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "http://www.debian.org/security/2012/dsa-2550"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "http://downloads.asterisk.org/pub/security/AST-2012-012.html"
            },
            {
              "name": "1027460",
              "tags": [
                "vdb-entry",
                "x_refsource_SECTRACK"
              ],
              "url": "http://www.securitytracker.com/id?1027460"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@us.ibm.com",
              "ID": "CVE-2012-2186",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Incomplete blacklist vulnerability in main/manager.c in Asterisk Open Source 1.8.x before 1.8.15.1 and 10.x before 10.7.1, Certified Asterisk 1.8.11 before 1.8.11-cert6, Asterisk Digiumphones 10.x.x-digiumphones before 10.7.1-digiumphones, and Asterisk Business Edition C.3.x before C.3.7.6 allows remote authenticated users to execute arbitrary commands by leveraging originate privileges and providing an ExternalIVR value in an AMI Originate action."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "50687",
                  "refsource": "SECUNIA",
                  "url": "http://secunia.com/advisories/50687"
                },
                {
                  "name": "50756",
                  "refsource": "SECUNIA",
                  "url": "http://secunia.com/advisories/50756"
                },
                {
                  "name": "DSA-2550",
                  "refsource": "DEBIAN",
                  "url": "http://www.debian.org/security/2012/dsa-2550"
                },
                {
                  "name": "http://downloads.asterisk.org/pub/security/AST-2012-012.html",
                  "refsource": "CONFIRM",
                  "url": "http://downloads.asterisk.org/pub/security/AST-2012-012.html"
                },
                {
                  "name": "1027460",
                  "refsource": "SECTRACK",
                  "url": "http://www.securitytracker.com/id?1027460"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "assignerShortName": "ibm",
        "cveId": "CVE-2012-2186",
        "datePublished": "2012-08-31T14:00:00.000Z",
        "dateReserved": "2012-04-04T00:00:00.000Z",
        "dateUpdated": "2024-08-06T19:26:08.975Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2013-2686 (GCVE-0-2013-2686)

    Vulnerability from cvelistv5 – Published: 2013-03-29 18:00 – Updated: 2024-09-16 22:35
    VLAI
    Summary
    main/http.c in the HTTP server in Asterisk Open Source 1.8.x before 1.8.20.2, 10.x before 10.12.2, and 11.x before 11.2.2; Certified Asterisk 1.8.15 before 1.8.15-cert2; and Asterisk Digiumphones 10.x-digiumphones before 10.12.2-digiumphones does not properly restrict Content-Length values, which allows remote attackers to conduct stack-consumption attacks and cause a denial of service (daemon crash) via a crafted HTTP POST request. NOTE: this vulnerability exists because of an incorrect fix for CVE-2012-5976.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T15:44:33.209Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://issues.asterisk.org/jira/browse/ASTERISK-20967"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "http://telussecuritylabs.com/threats/show/TSL20130327-01"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "http://downloads.asterisk.org/pub/security/AST-2013-002.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "main/http.c in the HTTP server in Asterisk Open Source 1.8.x before 1.8.20.2, 10.x before 10.12.2, and 11.x before 11.2.2; Certified Asterisk 1.8.15 before 1.8.15-cert2; and Asterisk Digiumphones 10.x-digiumphones before 10.12.2-digiumphones does not properly restrict Content-Length values, which allows remote attackers to conduct stack-consumption attacks and cause a denial of service (daemon crash) via a crafted HTTP POST request.  NOTE: this vulnerability exists because of an incorrect fix for CVE-2012-5976."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2013-03-29T18:00:00.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://issues.asterisk.org/jira/browse/ASTERISK-20967"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "http://telussecuritylabs.com/threats/show/TSL20130327-01"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "http://downloads.asterisk.org/pub/security/AST-2013-002.html"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2013-2686",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "main/http.c in the HTTP server in Asterisk Open Source 1.8.x before 1.8.20.2, 10.x before 10.12.2, and 11.x before 11.2.2; Certified Asterisk 1.8.15 before 1.8.15-cert2; and Asterisk Digiumphones 10.x-digiumphones before 10.12.2-digiumphones does not properly restrict Content-Length values, which allows remote attackers to conduct stack-consumption attacks and cause a denial of service (daemon crash) via a crafted HTTP POST request.  NOTE: this vulnerability exists because of an incorrect fix for CVE-2012-5976."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://issues.asterisk.org/jira/browse/ASTERISK-20967",
                  "refsource": "CONFIRM",
                  "url": "https://issues.asterisk.org/jira/browse/ASTERISK-20967"
                },
                {
                  "name": "http://telussecuritylabs.com/threats/show/TSL20130327-01",
                  "refsource": "MISC",
                  "url": "http://telussecuritylabs.com/threats/show/TSL20130327-01"
                },
                {
                  "name": "http://downloads.asterisk.org/pub/security/AST-2013-002.html",
                  "refsource": "CONFIRM",
                  "url": "http://downloads.asterisk.org/pub/security/AST-2013-002.html"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2013-2686",
        "datePublished": "2013-03-29T18:00:00.000Z",
        "dateReserved": "2013-03-25T00:00:00.000Z",
        "dateUpdated": "2024-09-16T22:35:02.870Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2013-2264 (GCVE-0-2013-2264)

    Vulnerability from cvelistv5 – Published: 2013-03-29 18:00 – Updated: 2024-09-16 17:38
    VLAI
    Summary
    The SIP channel driver in Asterisk Open Source 1.8.x before 1.8.20.2, 10.x before 10.12.2, and 11.x before 11.2.2; Certified Asterisk 1.8.15 before 1.8.15-cert2; Asterisk Business Edition (BE) C.3.x before C.3.8.1; and Asterisk Digiumphones 10.x-digiumphones before 10.12.2-digiumphones exhibits different behavior for invalid INVITE, SUBSCRIBE, and REGISTER transactions depending on whether the user account exists, which allows remote attackers to enumerate account names by (1) reading HTTP status codes, (2) reading additional text in a 403 (aka Forbidden) response, or (3) observing whether certain retransmissions occur.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T15:27:41.188Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "http://downloads.asterisk.org/pub/security/AST-2013-003.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://issues.asterisk.org/jira/browse/ASTERISK-21013"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The SIP channel driver in Asterisk Open Source 1.8.x before 1.8.20.2, 10.x before 10.12.2, and 11.x before 11.2.2; Certified Asterisk 1.8.15 before 1.8.15-cert2; Asterisk Business Edition (BE) C.3.x before C.3.8.1; and Asterisk Digiumphones 10.x-digiumphones before 10.12.2-digiumphones exhibits different behavior for invalid INVITE, SUBSCRIBE, and REGISTER transactions depending on whether the user account exists, which allows remote attackers to enumerate account names by (1) reading HTTP status codes, (2) reading additional text in a 403 (aka Forbidden) response, or (3) observing whether certain retransmissions occur."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2013-03-29T18:00:00.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "http://downloads.asterisk.org/pub/security/AST-2013-003.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://issues.asterisk.org/jira/browse/ASTERISK-21013"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2013-2264",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The SIP channel driver in Asterisk Open Source 1.8.x before 1.8.20.2, 10.x before 10.12.2, and 11.x before 11.2.2; Certified Asterisk 1.8.15 before 1.8.15-cert2; Asterisk Business Edition (BE) C.3.x before C.3.8.1; and Asterisk Digiumphones 10.x-digiumphones before 10.12.2-digiumphones exhibits different behavior for invalid INVITE, SUBSCRIBE, and REGISTER transactions depending on whether the user account exists, which allows remote attackers to enumerate account names by (1) reading HTTP status codes, (2) reading additional text in a 403 (aka Forbidden) response, or (3) observing whether certain retransmissions occur."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "http://downloads.asterisk.org/pub/security/AST-2013-003.html",
                  "refsource": "CONFIRM",
                  "url": "http://downloads.asterisk.org/pub/security/AST-2013-003.html"
                },
                {
                  "name": "https://issues.asterisk.org/jira/browse/ASTERISK-21013",
                  "refsource": "CONFIRM",
                  "url": "https://issues.asterisk.org/jira/browse/ASTERISK-21013"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2013-2264",
        "datePublished": "2013-03-29T18:00:00.000Z",
        "dateReserved": "2013-02-20T00:00:00.000Z",
        "dateUpdated": "2024-09-16T17:38:10.972Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2012-2186 (GCVE-0-2012-2186)

    Vulnerability from cvelistv5 – Published: 2012-08-31 14:00 – Updated: 2024-08-06 19:26
    VLAI
    Summary
    Incomplete blacklist vulnerability in main/manager.c in Asterisk Open Source 1.8.x before 1.8.15.1 and 10.x before 10.7.1, Certified Asterisk 1.8.11 before 1.8.11-cert6, Asterisk Digiumphones 10.x.x-digiumphones before 10.7.1-digiumphones, and Asterisk Business Edition C.3.x before C.3.7.6 allows remote authenticated users to execute arbitrary commands by leveraging originate privileges and providing an ExternalIVR value in an AMI Originate action.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    ibm
    References
    URL Tags
    http://secunia.com/advisories/50687 third-party-advisoryx_refsource_SECUNIA
    http://secunia.com/advisories/50756 third-party-advisoryx_refsource_SECUNIA
    http://www.debian.org/security/2012/dsa-2550 vendor-advisoryx_refsource_DEBIAN
    http://downloads.asterisk.org/pub/security/AST-20… x_refsource_CONFIRM
    http://www.securitytracker.com/id?1027460 vdb-entryx_refsource_SECTRACK
    Date Public
    2012-08-30 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T19:26:08.975Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "50687",
                "tags": [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
                  "x_transferred"
                ],
                "url": "http://secunia.com/advisories/50687"
              },
              {
                "name": "50756",
                "tags": [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
                  "x_transferred"
                ],
                "url": "http://secunia.com/advisories/50756"
              },
              {
                "name": "DSA-2550",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "http://www.debian.org/security/2012/dsa-2550"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "http://downloads.asterisk.org/pub/security/AST-2012-012.html"
              },
              {
                "name": "1027460",
                "tags": [
                  "vdb-entry",
                  "x_refsource_SECTRACK",
                  "x_transferred"
                ],
                "url": "http://www.securitytracker.com/id?1027460"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2012-08-30T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Incomplete blacklist vulnerability in main/manager.c in Asterisk Open Source 1.8.x before 1.8.15.1 and 10.x before 10.7.1, Certified Asterisk 1.8.11 before 1.8.11-cert6, Asterisk Digiumphones 10.x.x-digiumphones before 10.7.1-digiumphones, and Asterisk Business Edition C.3.x before C.3.7.6 allows remote authenticated users to execute arbitrary commands by leveraging originate privileges and providing an ExternalIVR value in an AMI Originate action."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2012-10-31T09:00:00.000Z",
            "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
            "shortName": "ibm"
          },
          "references": [
            {
              "name": "50687",
              "tags": [
                "third-party-advisory",
                "x_refsource_SECUNIA"
              ],
              "url": "http://secunia.com/advisories/50687"
            },
            {
              "name": "50756",
              "tags": [
                "third-party-advisory",
                "x_refsource_SECUNIA"
              ],
              "url": "http://secunia.com/advisories/50756"
            },
            {
              "name": "DSA-2550",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "http://www.debian.org/security/2012/dsa-2550"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "http://downloads.asterisk.org/pub/security/AST-2012-012.html"
            },
            {
              "name": "1027460",
              "tags": [
                "vdb-entry",
                "x_refsource_SECTRACK"
              ],
              "url": "http://www.securitytracker.com/id?1027460"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "psirt@us.ibm.com",
              "ID": "CVE-2012-2186",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Incomplete blacklist vulnerability in main/manager.c in Asterisk Open Source 1.8.x before 1.8.15.1 and 10.x before 10.7.1, Certified Asterisk 1.8.11 before 1.8.11-cert6, Asterisk Digiumphones 10.x.x-digiumphones before 10.7.1-digiumphones, and Asterisk Business Edition C.3.x before C.3.7.6 allows remote authenticated users to execute arbitrary commands by leveraging originate privileges and providing an ExternalIVR value in an AMI Originate action."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "50687",
                  "refsource": "SECUNIA",
                  "url": "http://secunia.com/advisories/50687"
                },
                {
                  "name": "50756",
                  "refsource": "SECUNIA",
                  "url": "http://secunia.com/advisories/50756"
                },
                {
                  "name": "DSA-2550",
                  "refsource": "DEBIAN",
                  "url": "http://www.debian.org/security/2012/dsa-2550"
                },
                {
                  "name": "http://downloads.asterisk.org/pub/security/AST-2012-012.html",
                  "refsource": "CONFIRM",
                  "url": "http://downloads.asterisk.org/pub/security/AST-2012-012.html"
                },
                {
                  "name": "1027460",
                  "refsource": "SECTRACK",
                  "url": "http://www.securitytracker.com/id?1027460"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "assignerShortName": "ibm",
        "cveId": "CVE-2012-2186",
        "datePublished": "2012-08-31T14:00:00.000Z",
        "dateReserved": "2012-04-04T00:00:00.000Z",
        "dateUpdated": "2024-08-06T19:26:08.975Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }