Vulnerability Details CVE-2022-26499
An SSRF issue was discovered in Asterisk through 19.x. When using STIR/SHAKEN, it's possible to send arbitrary requests (such as GET) to interfaces such as localhost by using the Identity header. This is fixed in 16.25.2, 18.11.2, and 19.3.2.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 41.9%
CVSS Severity
CVSS v3 Score 9.1
CVSS v2 Score 6.4
References
- http://packetstormsecurity.com/files/166745/Asterisk-Project-Security-Advisory-AST-2022-002.html
- https://downloads.asterisk.org/pub/security/
- https://downloads.asterisk.org/pub/security/AST-2022-002.html
- https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html
- https://www.debian.org/security/2022/dsa-5285
- http://packetstormsecurity.com/files/166745/Asterisk-Project-Security-Advisory-AST-2022-002.html
- https://downloads.asterisk.org/pub/security/
- https://downloads.asterisk.org/pub/security/AST-2022-002.html
- https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html
- https://www.debian.org/security/2022/dsa-5285
Products affected by CVE-2022-26499
-
cpe:2.3:a:digium:asterisk:16.15.0
-
cpe:2.3:a:digium:asterisk:16.15.1
-
cpe:2.3:a:digium:asterisk:16.16.1
-
cpe:2.3:a:digium:asterisk:16.16.2
-
cpe:2.3:a:digium:asterisk:16.17.0
-
cpe:2.3:a:digium:asterisk:16.18.0
-
cpe:2.3:a:digium:asterisk:16.19.0
-
cpe:2.3:a:digium:asterisk:16.19.1
-
cpe:2.3:a:digium:asterisk:16.20.0
-
cpe:2.3:a:digium:asterisk:16.21.0
-
cpe:2.3:a:digium:asterisk:16.22.0
-
cpe:2.3:a:digium:asterisk:16.23.0
-
cpe:2.3:a:digium:asterisk:16.24.0
-
cpe:2.3:a:digium:asterisk:16.25.0
-
cpe:2.3:a:digium:asterisk:18.0
-
cpe:2.3:a:digium:asterisk:18.0.0
-
cpe:2.3:a:digium:asterisk:18.0.1
-
cpe:2.3:a:digium:asterisk:18.1.0
-
cpe:2.3:a:digium:asterisk:18.1.1
-
cpe:2.3:a:digium:asterisk:18.2.0
-
cpe:2.3:a:digium:asterisk:18.2.1
-
cpe:2.3:a:digium:asterisk:18.2.2
-
cpe:2.3:a:digium:asterisk:18.3.0
-
cpe:2.3:a:digium:asterisk:18.4.0
-
cpe:2.3:a:digium:asterisk:18.5.0
-
cpe:2.3:a:digium:asterisk:19.0.0
-
cpe:2.3:a:digium:asterisk:19.1.0
-
cpe:2.3:a:digium:asterisk:19.1.1
-
cpe:2.3:a:digium:asterisk:19.2.0
-
cpe:2.3:a:digium:asterisk:19.3.0
-
cpe:2.3:a:digium:asterisk:19.3.1
-
cpe:2.3:o:debian:debian_linux:10.0
-
cpe:2.3:o:debian:debian_linux:11.0