Alpine: asterisk: security update to 18.11.2-r0

critical Tenable Cloud Security Plugin ID 403591

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- An issue was discovered in Asterisk through 19.x. When using STIR/SHAKEN, it is possible to download files
that are not certificates. These files could be much larger than what one would expect to download,
leading to Resource Exhaustion. This is fixed in 16.25.2, 18.11.2, and 19.3.2. (CVE-2022-26498)

- An SSRF issue was discovered in Asterisk through 19.x. When using STIR/SHAKEN, it's possible to send
arbitrary requests (such as GET) to interfaces such as localhost by using the Identity header. This is
fixed in 16.25.2, 18.11.2, and 19.3.2. (CVE-2022-26499)

- An issue was discovered in Asterisk through 19.x and Certified Asterisk through 16.8-cert13. The func_odbc
module provides possibly inadequate escaping functionality for backslash characters in SQL queries,
resulting in user-provided data creating a broken SQL query or possibly a SQL injection. This is fixed in
16.25.2, 18.11.2, and 19.3.2, and 16.8-cert14. (CVE-2022-26651)

See Also

https://security.alpinelinux.org/vuln/CVE-2022-26498

https://security.alpinelinux.org/vuln/CVE-2022-26499

https://security.alpinelinux.org/vuln/CVE-2022-26651

Plugin Details

Severity: Critical

ID: 403591

Version: Revision 1.37

Type: Local

Published: 10/31/2023

Updated: 12/30/2025

Supported Sensors: Agentless Assessment

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.12

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2022-26651

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 4/14/2022

Reference Information

CVE: CVE-2022-26498, CVE-2022-26499, CVE-2022-26651