Vulnerability Details CVE-2022-26651
An issue was discovered in Asterisk through 19.x and Certified Asterisk through 16.8-cert13. The func_odbc module provides possibly inadequate escaping functionality for backslash characters in SQL queries, resulting in user-provided data creating a broken SQL query or possibly a SQL injection. This is fixed in 16.25.2, 18.11.2, and 19.3.2, and 16.8-cert14.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 37.8%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 7.5
References
- http://packetstormsecurity.com/files/166746/Asterisk-Project-Security-Advisory-AST-2022-003.html
- https://downloads.asterisk.org/pub/security/
- https://downloads.asterisk.org/pub/security/AST-2022-003.html
- https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html
- https://www.debian.org/security/2022/dsa-5285
- http://packetstormsecurity.com/files/166746/Asterisk-Project-Security-Advisory-AST-2022-003.html
- https://downloads.asterisk.org/pub/security/
- https://downloads.asterisk.org/pub/security/AST-2022-003.html
- https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html
- https://www.debian.org/security/2022/dsa-5285
Products affected by CVE-2022-26651
-
cpe:2.3:a:digium:asterisk:16.0.0
-
cpe:2.3:a:digium:asterisk:16.0.1
-
cpe:2.3:a:digium:asterisk:16.1.0
-
cpe:2.3:a:digium:asterisk:16.15.0
-
cpe:2.3:a:digium:asterisk:16.15.1
-
cpe:2.3:a:digium:asterisk:16.16.1
-
cpe:2.3:a:digium:asterisk:16.16.2
-
cpe:2.3:a:digium:asterisk:16.17.0
-
cpe:2.3:a:digium:asterisk:16.18.0
-
cpe:2.3:a:digium:asterisk:16.19.0
-
cpe:2.3:a:digium:asterisk:16.19.1
-
cpe:2.3:a:digium:asterisk:16.2.0
-
cpe:2.3:a:digium:asterisk:16.2.1
-
cpe:2.3:a:digium:asterisk:16.20.0
-
cpe:2.3:a:digium:asterisk:16.21.0
-
cpe:2.3:a:digium:asterisk:16.22.0
-
cpe:2.3:a:digium:asterisk:16.23.0
-
cpe:2.3:a:digium:asterisk:16.24.0
-
cpe:2.3:a:digium:asterisk:16.25.0
-
cpe:2.3:a:digium:asterisk:16.3.0
-
cpe:2.3:a:digium:asterisk:16.4.0
-
cpe:2.3:a:digium:asterisk:16.4.1
-
cpe:2.3:a:digium:asterisk:16.5.0
-
cpe:2.3:a:digium:asterisk:16.5.1
-
cpe:2.3:a:digium:asterisk:16.6.0
-
cpe:2.3:a:digium:asterisk:16.6.1
-
cpe:2.3:a:digium:asterisk:16.6.2
-
cpe:2.3:a:digium:asterisk:18.0
-
cpe:2.3:a:digium:asterisk:18.0.0
-
cpe:2.3:a:digium:asterisk:18.0.1
-
cpe:2.3:a:digium:asterisk:18.1.0
-
cpe:2.3:a:digium:asterisk:18.1.1
-
cpe:2.3:a:digium:asterisk:18.2.0
-
cpe:2.3:a:digium:asterisk:18.2.1
-
cpe:2.3:a:digium:asterisk:18.2.2
-
cpe:2.3:a:digium:asterisk:18.3.0
-
cpe:2.3:a:digium:asterisk:18.4.0
-
cpe:2.3:a:digium:asterisk:18.5.0
-
cpe:2.3:a:digium:asterisk:19.0.0
-
cpe:2.3:a:digium:asterisk:19.1.0
-
cpe:2.3:a:digium:asterisk:19.1.1
-
cpe:2.3:a:digium:asterisk:19.2.0
-
cpe:2.3:a:digium:asterisk:19.3.0
-
cpe:2.3:a:digium:asterisk:19.3.1
-
cpe:2.3:a:digium:certified_asterisk:16.8
-
cpe:2.3:o:debian:debian_linux:10.0
-
cpe:2.3:o:debian:debian_linux:11.0