Alpine: multiple asterisk packages: security update to 18.11.2-r0

critical Tenable Self-Hosted Container Security Plugin ID 423671

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- An issue was discovered in Asterisk through 19.x. When using STIR/SHAKEN, it is possible to download files
that are not certificates. These files could be much larger than what one would expect to download,
leading to Resource Exhaustion. This is fixed in 16.25.2, 18.11.2, and 19.3.2. (CVE-2022-26498)

- An SSRF issue was discovered in Asterisk through 19.x. When using STIR/SHAKEN, it's possible to send
arbitrary requests (such as GET) to interfaces such as localhost by using the Identity header. This is
fixed in 16.25.2, 18.11.2, and 19.3.2. (CVE-2022-26499)

- An issue was discovered in Asterisk through 19.x and Certified Asterisk through 16.8-cert13. The func_odbc
module provides possibly inadequate escaping functionality for backslash characters in SQL queries,
resulting in user-provided data creating a broken SQL query or possibly a SQL injection. This is fixed in
16.25.2, 18.11.2, and 19.3.2, and 16.8-cert14. (CVE-2022-26651)

See Also

https://security.alpinelinux.org/vuln/CVE-2022-26498

https://security.alpinelinux.org/vuln/CVE-2022-26499

https://security.alpinelinux.org/vuln/CVE-2022-26651

Plugin Details

Severity: Critical

ID: 423671

Version: Revision 1.11

Type: Local

Published: 4/4/2025

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.12

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2022-26651

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 4/14/2022

Reference Information

CVE: CVE-2022-26498, CVE-2022-26499, CVE-2022-26651