CVE-2022-26651

An issue was discovered in Asterisk through 19.x and Certified Asterisk through 16.8-cert13. The func_odbc module provides possibly inadequate escaping functionality for backslash characters in SQL queries, resulting in user-provided data creating a broken SQL query or possibly a SQL injection. This is fixed in 16.25.2, 18.11.2, and 19.3.2, and 16.8-cert14.
SQL Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 37%
VendorProductVersion
digiumasterisk
16.0.0 ≤
𝑥
< 16.25.2
digiumasterisk
18.0 ≤
𝑥
< 18.11.2
digiumasterisk
19.0.0 ≤
𝑥
< 19.3.2
digiumcertified_asterisk
16.8
digiumcertified_asterisk
16.8:cert1-rc1
digiumcertified_asterisk
16.8:cert1-rc2
digiumcertified_asterisk
16.8:cert1-rc3
digiumcertified_asterisk
16.8:cert1-rc4
digiumcertified_asterisk
16.8:cert10
digiumcertified_asterisk
16.8:cert11
digiumcertified_asterisk
16.8:cert12
digiumcertified_asterisk
16.8:cert13
digiumcertified_asterisk
16.8:cert2
digiumcertified_asterisk
16.8:cert3
digiumcertified_asterisk
16.8:cert4
digiumcertified_asterisk
16.8:cert4-rc1
digiumcertified_asterisk
16.8:cert4-rc2
digiumcertified_asterisk
16.8:cert4-rc3
digiumcertified_asterisk
16.8:cert4-rc4
digiumcertified_asterisk
16.8:cert5
digiumcertified_asterisk
16.8:cert6
digiumcertified_asterisk
16.8:cert7
digiumcertified_asterisk
16.8:cert8
digiumcertified_asterisk
16.8:cert9
debiandebian_linux
10.0
debiandebian_linux
11.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
asterisk
bullseye
1:16.28.0~dfsg-0+deb11u4
fixed
stretch
postponed
bullseye (security)
1:16.28.0~dfsg-0+deb11u5
fixed
sid
1:22.0.0~dfsg+~cs6.14.60671435-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
asterisk
noble
needs-triage
mantic
ignored
lunar
ignored
kinetic
ignored
jammy
needs-triage
impish
ignored
focal
needs-triage
bionic
needs-triage
xenial
needs-triage
trusty
ignored
Common Weakness Enumeration
References
http://packetstormsecurity.com/files/166746/Asterisk-Project-Security-Advisory-AST-2022-003.html
https://downloads.asterisk.org/pub/security/
https://downloads.asterisk.org/pub/security/AST-2022-003.html
https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html
https://www.debian.org/security/2022/dsa-5285
http://packetstormsecurity.com/files/166746/Asterisk-Project-Security-Advisory-AST-2022-003.html
https://downloads.asterisk.org/pub/security/
https://downloads.asterisk.org/pub/security/AST-2022-003.html
https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html
https://www.debian.org/security/2022/dsa-5285