Vulnerability Details CVE-2017-14100
In Asterisk 11.x before 11.25.2, 13.x before 13.17.1, and 14.x before 14.6.1 and Certified Asterisk 11.x before 11.6-cert17 and 13.x before 13.13-cert5, unauthorized command execution is possible. The app_minivm module has an "externnotify" program configuration option that is executed by the MinivmNotify dialplan application. The application uses the caller-id name and number as part of a built string passed to the OS shell for interpretation and execution. Since the caller-id name and number can come from an untrusted source, a crafted caller-id name or number allows an arbitrary shell command injection.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.369
EPSS Ranking 97.0%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 7.5
References
- http://downloads.asterisk.org/pub/security/AST-2017-006.html
- http://www.debian.org/security/2017/dsa-3964
- http://www.securitytracker.com/id/1039252
- https://bugs.debian.org/873908
- https://issues.asterisk.org/jira/browse/ASTERISK-27103
- https://security.gentoo.org/glsa/201710-29
- http://downloads.asterisk.org/pub/security/AST-2017-006.html
- http://www.debian.org/security/2017/dsa-3964
- http://www.securitytracker.com/id/1039252
- https://bugs.debian.org/873908
- https://issues.asterisk.org/jira/browse/ASTERISK-27103
- https://security.gentoo.org/glsa/201710-29
Products affected by CVE-2017-14100
-
cpe:2.3:a:digium:asterisk:11.0.0
-
cpe:2.3:a:digium:asterisk:11.0.1
-
cpe:2.3:a:digium:asterisk:11.0.2
-
cpe:2.3:a:digium:asterisk:11.1.0
-
cpe:2.3:a:digium:asterisk:11.1.1
-
cpe:2.3:a:digium:asterisk:11.1.2
-
cpe:2.3:a:digium:asterisk:11.10.0
-
cpe:2.3:a:digium:asterisk:11.10.1
-
cpe:2.3:a:digium:asterisk:11.10.2
-
cpe:2.3:a:digium:asterisk:11.11.0
-
cpe:2.3:a:digium:asterisk:11.12.0
-
cpe:2.3:a:digium:asterisk:11.12.1
-
cpe:2.3:a:digium:asterisk:11.13.0
-
cpe:2.3:a:digium:asterisk:11.13.1
-
cpe:2.3:a:digium:asterisk:11.14.0
-
cpe:2.3:a:digium:asterisk:11.14.1
-
cpe:2.3:a:digium:asterisk:11.14.2
-
cpe:2.3:a:digium:asterisk:11.15.0
-
cpe:2.3:a:digium:asterisk:11.15.1
-
cpe:2.3:a:digium:asterisk:11.16.0
-
cpe:2.3:a:digium:asterisk:11.17.0
-
cpe:2.3:a:digium:asterisk:11.17.1
-
cpe:2.3:a:digium:asterisk:11.18.0
-
cpe:2.3:a:digium:asterisk:11.19.0
-
cpe:2.3:a:digium:asterisk:11.2.0
-
cpe:2.3:a:digium:asterisk:11.2.1
-
cpe:2.3:a:digium:asterisk:11.2.2
-
cpe:2.3:a:digium:asterisk:11.20.0
-
cpe:2.3:a:digium:asterisk:11.21.0
-
cpe:2.3:a:digium:asterisk:11.21.1
-
cpe:2.3:a:digium:asterisk:11.21.2
-
cpe:2.3:a:digium:asterisk:11.22.0
-
cpe:2.3:a:digium:asterisk:11.23.0
-
cpe:2.3:a:digium:asterisk:11.23.1
-
cpe:2.3:a:digium:asterisk:11.24.0
-
cpe:2.3:a:digium:asterisk:11.24.1
-
cpe:2.3:a:digium:asterisk:11.25.0
-
cpe:2.3:a:digium:asterisk:11.25.1
-
cpe:2.3:a:digium:asterisk:11.4.0
-
cpe:2.3:a:digium:asterisk:11.6.0
-
cpe:2.3:a:digium:asterisk:11.6.1
-
cpe:2.3:a:digium:asterisk:11.7.0
-
cpe:2.3:a:digium:asterisk:11.8.0
-
cpe:2.3:a:digium:asterisk:11.8.1
-
cpe:2.3:a:digium:asterisk:11.9.0
-
cpe:2.3:a:digium:asterisk:13.0.0
-
cpe:2.3:a:digium:asterisk:13.0.1
-
cpe:2.3:a:digium:asterisk:13.0.2
-
cpe:2.3:a:digium:asterisk:13.1.0
-
cpe:2.3:a:digium:asterisk:13.1.1
-
cpe:2.3:a:digium:asterisk:13.10.0
-
cpe:2.3:a:digium:asterisk:13.11.0
-
cpe:2.3:a:digium:asterisk:13.11.1
-
cpe:2.3:a:digium:asterisk:13.11.2
-
cpe:2.3:a:digium:asterisk:13.12
-
cpe:2.3:a:digium:asterisk:13.12.0
-
cpe:2.3:a:digium:asterisk:13.12.1
-
cpe:2.3:a:digium:asterisk:13.12.2
-
cpe:2.3:a:digium:asterisk:13.13
-
cpe:2.3:a:digium:asterisk:13.13.0
-
cpe:2.3:a:digium:asterisk:13.13.1
-
cpe:2.3:a:digium:asterisk:13.14.0
-
cpe:2.3:a:digium:asterisk:13.14.1
-
cpe:2.3:a:digium:asterisk:13.15.0
-
cpe:2.3:a:digium:asterisk:13.15.1
-
cpe:2.3:a:digium:asterisk:13.16.0
-
cpe:2.3:a:digium:asterisk:13.17.0
-
cpe:2.3:a:digium:asterisk:13.2.0
-
cpe:2.3:a:digium:asterisk:13.2.1
-
cpe:2.3:a:digium:asterisk:13.3.0
-
cpe:2.3:a:digium:asterisk:13.3.2
-
cpe:2.3:a:digium:asterisk:13.4.0
-
cpe:2.3:a:digium:asterisk:13.5.0
-
cpe:2.3:a:digium:asterisk:13.6.0
-
cpe:2.3:a:digium:asterisk:13.7.0
-
cpe:2.3:a:digium:asterisk:13.7.1
-
cpe:2.3:a:digium:asterisk:13.7.2
-
cpe:2.3:a:digium:asterisk:13.8.0
-
cpe:2.3:a:digium:asterisk:13.8.1
-
cpe:2.3:a:digium:asterisk:13.8.2
-
cpe:2.3:a:digium:asterisk:13.9.0
-
cpe:2.3:a:digium:asterisk:13.9.1
-
cpe:2.3:a:digium:asterisk:14.0
-
cpe:2.3:a:digium:asterisk:14.0.0
-
cpe:2.3:a:digium:asterisk:14.0.1
-
cpe:2.3:a:digium:asterisk:14.0.2
-
cpe:2.3:a:digium:asterisk:14.01
-
cpe:2.3:a:digium:asterisk:14.02
-
cpe:2.3:a:digium:asterisk:14.1
-
cpe:2.3:a:digium:asterisk:14.1.0
-
cpe:2.3:a:digium:asterisk:14.1.1
-
cpe:2.3:a:digium:asterisk:14.1.2
-
cpe:2.3:a:digium:asterisk:14.2
-
cpe:2.3:a:digium:asterisk:14.2.0
-
cpe:2.3:a:digium:asterisk:14.2.1
-
cpe:2.3:a:digium:asterisk:14.3.0
-
cpe:2.3:a:digium:asterisk:14.3.1
-
cpe:2.3:a:digium:asterisk:14.4.0
-
cpe:2.3:a:digium:asterisk:14.4.1
-
cpe:2.3:a:digium:asterisk:14.5.0
-
cpe:2.3:a:digium:asterisk:14.6.0
-
cpe:2.3:a:digium:certified_asterisk:11.6
-
cpe:2.3:a:digium:certified_asterisk:13.13