Alpine: multiple asterisk packages: security update to 16.6.2-r0

high Tenable Cloud Security Plugin ID 423667

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- An issue was discovered in manager.c in Sangoma Asterisk through 13.x, 16.x, 17.x and Certified Asterisk
13.21 through 13.21-cert4. A remote authenticated Asterisk Manager Interface (AMI) user without system
authorization could use a specially crafted Originate AMI request to execute arbitrary system commands.
(CVE-2019-18610)

- An issue was discovered in channels/chan_sip.c in Sangoma Asterisk 13.x before 13.29.2, 16.x before
16.6.2, and 17.x before 17.0.1, and Certified Asterisk 13.21 before cert5. A SIP request can be sent to
Asterisk that can change a SIP peer's IP address. A REGISTER does not need to occur, and calls can be
hijacked as a result. The only thing that needs to be known is the peer's name; authentication details
such as passwords do not need to be known. This vulnerability is only exploitable when the nat option is
set to the default, or auto_force_rport. (CVE-2019-18790)

See Also

https://security.alpinelinux.org/vuln/CVE-2019-18610

https://security.alpinelinux.org/vuln/CVE-2019-18790

Plugin Details

Severity: High

ID: 423667

Version: Revision 1.8

Type: Local

Published: 4/4/2025

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.15

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2019-18610

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 11/22/2019

Reference Information

CVE: CVE-2019-18610, CVE-2019-18790