CVE-2022-42706

2022-12-0521:15:10

Alpine Linux Development Team

security.alpinelinux.org

sangoma asterisk

config directory traversal

cve-2022-42706

CVSS3

4.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

AI Score

6.2

Confidence

High

EPSS

0.002

Percentile

59.2%

JSON

An issue was discovered in Sangoma Asterisk through 16.28, 17 and 18 through 18.14, 19 through 19.6, and certified through 18.9-cert1. GetConfig, via Asterisk Manager Interface, allows a connected application to access files outside of the asterisk configuration directory, aka Directory Traversal.

OSVersionArchitecturePackageVersionFilename
Alpineedge-mainnoarchasterisk< 18.15.1-r0UNKNOWN
Alpine3.16-mainnoarchasterisk< 18.20.2-r0UNKNOWN
Alpine3.17-mainnoarchasterisk< 18.15.1-r0UNKNOWN
Alpine3.18-mainnoarchasterisk< 18.15.1-r0UNKNOWN
Alpine3.19-mainnoarchasterisk< 18.15.1-r0UNKNOWN
Alpine3.20-mainnoarchasterisk< 18.15.1-r0UNKNOWN

OS	Version	Architecture	Package	Version	Filename
Alpine	edge-main	noarch	asterisk	< 18.15.1-r0	UNKNOWN
Alpine	3.16-main	noarch	asterisk	< 18.20.2-r0	UNKNOWN
Alpine	3.17-main	noarch	asterisk	< 18.15.1-r0	UNKNOWN
Alpine	3.18-main	noarch	asterisk	< 18.15.1-r0	UNKNOWN
Alpine	3.19-main	noarch	asterisk	< 18.15.1-r0	UNKNOWN
Alpine	3.20-main	noarch	asterisk	< 18.15.1-r0	UNKNOWN