1
Candidate: CVE-2012-2414
4
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2414
5
http://downloads.asterisk.org/pub/security/AST-2012-004.html
7
main/manager.c in the Manager Interface in Asterisk Open Source 1.6.2.x
8
before 1.6.2.24, 1.8.x before 1.8.11.1, and 10.x before 10.3.1 and Asterisk
9
Business Edition C.3.x before C.3.7.4 does not properly enforce System
10
class authorization requirements, which allows remote authenticated users
11
to execute arbitrary commands via (1) the originate action in the
12
MixMonitor application, (2) the SHELL and EVAL functions in the GetVar
13
manager action, or (3) the SHELL and EVAL functions in the Status manager
17
tyhicks> Affects 1.6.2.x, 1.8.x, 10.x
18
tyhicks> Attacker must be authenticated into the Asterisk Manager Interface
20
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=670180
21
https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/996162
23
Discovered-by: David Woolley
27
upstream_asterisk: released (1:1.8.11.1~dfsg-1)
28
hardy_asterisk: not-affected (1.4.17~dfsg-2ubuntu1.1)
29
lucid_asterisk: ignored (reached end-of-life)
30
natty_asterisk: ignored (reached end-of-life)
31
oneiric_asterisk: ignored (reached end-of-life)
32
precise_asterisk: ignored (reached end-of-life)
33
precise/esm_asterisk: DNE (precise was needed)
34
quantal_asterisk: not-affected (1:1.8.13.1~dfsg-1ubuntu2)
35
raring_asterisk: not-affected
36
saucy_asterisk: not-affected
37
trusty_asterisk: not-affected
38
utopic_asterisk: not-affected
39
vivid_asterisk: not-affected
40
vivid/stable-phone-overlay_asterisk: DNE
41
vivid/ubuntu-core_asterisk: DNE
42
wily_asterisk: not-affected
43
xenial_asterisk: not-affected
44
yakkety_asterisk: not-affected
45
zesty_asterisk: not-affected
46
devel_asterisk: not-affected