CVE-2011-1599

high

Description

manager.c in the Manager Interface in Asterisk Open Source 1.4.x before 1.4.40.1, 1.6.1.x before 1.6.1.25, 1.6.2.x before 1.6.2.17.3, and 1.8.x before 1.8.3.3 and Asterisk Business Edition C.x.x before C.3.6.4 does not properly check for the system privilege, which allows remote authenticated users to execute arbitrary commands via an Originate action that has an Async header in conjunction with an Application header.

References

http://www.vupen.com/english/advisories/2011/1188

http://www.vupen.com/english/advisories/2011/1107

http://www.vupen.com/english/advisories/2011/1086

http://www.securityfocus.com/bid/47537

http://www.debian.org/security/2011/dsa-2225

http://securitytracker.com/id?1025433

http://secunia.com/advisories/44529

http://secunia.com/advisories/44197

http://openwall.com/lists/oss-security/2011/04/22/6

http://lists.fedoraproject.org/pipermail/package-announce/2011-May/059702.html

http://lists.fedoraproject.org/pipermail/package-announce/2011-April/058922.html

http://downloads.digium.com/pub/security/AST-2011-006.html

Details

Source: Mitre, NVD

Published: 2011-04-27

Updated: 2011-09-07

Risk Information

CVSS v2

Base Score: 9

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

Severity: High

CVSS v3

Base Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Severity: High