FKIE_CVE-2026-23739

Vulnerability from fkie_nvd - Published: 2026-02-06 17:16 - Updated: 2026-02-18 18:42
Severity ?
2.0 (Low) - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Summary
Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, the ast_xml_open() function in xml.c parses XML documents using libxml with unsafe parsing options that enable entity expansion and XInclude processing. Specifically, it invokes xmlReadFile() with the XML_PARSE_NOENT flag and later processes XIncludes via xmlXIncludeProcess().If any untrusted or user-supplied XML file is passed to this function, it can allow an attacker to trigger XML External Entity (XXE) or XInclude-based local file disclosure, potentially exposing sensitive files from the host system. This can also be triggered in other cases in which the user is able to supply input in xml format that triggers the asterisk process to parse it. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2.
References
security-advisories@github.comhttps://github.com/asterisk/asterisk/security/advisories/GHSA-85x7-54wr-vh42Vendor Advisory
Impacted products
Vendor Product Version
sangoma asterisk *
sangoma asterisk *
sangoma asterisk *
sangoma asterisk *
sangoma certified_asterisk *
sangoma certified_asterisk 20.7
sangoma certified_asterisk 20.7
sangoma certified_asterisk 20.7
sangoma certified_asterisk 20.7
sangoma certified_asterisk 20.7
sangoma certified_asterisk 20.7
sangoma certified_asterisk 20.7
sangoma certified_asterisk 20.7
sangoma certified_asterisk 20.7
sangoma certified_asterisk 20.7
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "46AC3571-DD52-4F3C-98D2-3BB915498D41",
              "versionEndExcluding": "20.18.2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B9CB7760-849C-42CB-BF9A-A3DB40F19447",
              "versionEndExcluding": "21.12.1",
              "versionStartIncluding": "21.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "03AEEF8D-B546-4587-A236-63E2C41582FF",
              "versionEndExcluding": "22.8.2",
              "versionStartIncluding": "22.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B036D768-9ADA-4965-A596-BEF60749C3CD",
              "versionEndExcluding": "23.2.2",
              "versionStartIncluding": "23.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sangoma:certified_asterisk:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "44460225-C50D-414A-A2E0-F8280E1C1E1D",
              "versionEndIncluding": "18.9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sangoma:certified_asterisk:20.7:cert1:*:*:*:*:*:*",
              "matchCriteriaId": "79225576-AF7C-4099-9624-C53578A7417F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sangoma:certified_asterisk:20.7:cert1-rc1:*:*:*:*:*:*",
              "matchCriteriaId": "29323E6E-12C9-46C7-B29C-25E0CD537A8E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sangoma:certified_asterisk:20.7:cert1-rc2:*:*:*:*:*:*",
              "matchCriteriaId": "8E563972-78C0-40A0-83EA-6A3BA3D71946",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sangoma:certified_asterisk:20.7:cert2:*:*:*:*:*:*",
              "matchCriteriaId": "64209621-D458-432A-B0E3-C8D0B6698574",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sangoma:certified_asterisk:20.7:cert3:*:*:*:*:*:*",
              "matchCriteriaId": "B148158A-8354-41C2-A44C-2C0DAABAD217",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sangoma:certified_asterisk:20.7:cert4:*:*:*:*:*:*",
              "matchCriteriaId": "3D4D96E8-1F01-42B8-9181-67DEB12D9DD2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sangoma:certified_asterisk:20.7:cert5:*:*:*:*:*:*",
              "matchCriteriaId": "50D1B02A-F5F9-48EB-A396-412821F5D602",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sangoma:certified_asterisk:20.7:cert6:*:*:*:*:*:*",
              "matchCriteriaId": "4CBB2891-448F-4C4E-8A47-2283A8F71FE6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sangoma:certified_asterisk:20.7:cert7:*:*:*:*:*:*",
              "matchCriteriaId": "A9AF30E9-FC50-4A5C-BC99-9B3394488B9D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sangoma:certified_asterisk:20.7:cert8:*:*:*:*:*:*",
              "matchCriteriaId": "1A41366F-EA16-4867-A198-ACFFE5AFEA9A",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, the ast_xml_open() function in xml.c parses XML documents using libxml with unsafe parsing options that enable entity expansion and XInclude processing. Specifically, it invokes xmlReadFile() with the XML_PARSE_NOENT flag and later processes XIncludes via xmlXIncludeProcess().If any untrusted or user-supplied XML file is passed to this function, it can allow an attacker to trigger XML External Entity (XXE) or XInclude-based local file disclosure, potentially exposing sensitive files from the host system. This can also be triggered in other cases in which the user is able to supply input in xml format that triggers the asterisk process to parse it. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2."
    },
    {
      "lang": "es",
      "value": "Asterisk es una centralita privada de c\u00f3digo abierto y un kit de herramientas de telefon\u00eda. Antes de las versiones 20.7-cert9, 20.18.2, 21.12.1, 22.8.2 y 23.2.2, la funci\u00f3n ast_xml_open() en xml.c analiza documentos XML usando libxml con opciones de an\u00e1lisis inseguras que permiten la expansi\u00f3n de entidades y el procesamiento de XInclude. Espec\u00edficamente, invoca xmlReadFile() con la bandera XML_PARSE_NOENT y posteriormente procesa XIncludes a trav\u00e9s de xmlXIncludeProcess(). Si cualquier archivo XML no confiable o proporcionado por el usuario se pasa a esta funci\u00f3n, puede permitir a un atacante activar una Entidad Externa XML (XXE) o una divulgaci\u00f3n de archivos locales basada en XInclude, exponiendo potencialmente archivos sensibles del sistema anfitri\u00f3n. Esto tambi\u00e9n puede ser activado en otros casos en los que el usuario puede proporcionar entrada en formato XML que activa el proceso de Asterisk para analizarla. Este problema ha sido parcheado en las versiones 20.7-cert9, 20.18.2, 21.12.1, 22.8.2 y 23.2.2."
    }
  ],
  "id": "CVE-2026-23739",
  "lastModified": "2026-02-18T18:42:37.300",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 2.0,
          "baseSeverity": "LOW",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 0.5,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-02-06T17:16:26.147",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/asterisk/asterisk/security/advisories/GHSA-85x7-54wr-vh42"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-611"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.