hyp164D1/CVE-2024-49215.txt

## CVE-2024-49215.txt
[CVE ID]
CVE-2024-49215

[Description]
An issue was discovered in Sangoma Asterisk through 18.20.0, 19.x and
20.x through 20.5.0, and 21.x through 21.0.0, and Certified Asterisk
through 18.9-cert5. In manager.c, the functions action_getconfig() and
action_getconfigJson() do not process the input file path, resulting
in a path traversal vulnerability. In versions without the
restrictedFile() function, no processing is done on the input path. In
versions with the restrictedFile() function, path traversal is not
processed.

------------------------------------------

[Additional Information]
traversal = '../../../../../../../../'
    cfg_msg = ami_msg('GetConfigJSON', {
        'ActionID': args.action_id,
        'Filename': f'{traversal}{args.file}',
    })

------------------------------------------

[Vulnerability Type]
Directory Traversal

------------------------------------------

[Vendor of Product]
https://github.com/asterisk/asterisk/

------------------------------------------

[Affected Product Code Base]
Asterisk - Asterisk=21.0.0 Asterisk<=20.5.0 Asterisk<=18.20.0 certified-asterisk<=18.9-cert5

------------------------------------------

[Affected Component]
manager.c

------------------------------------------

[Attack Type]
Local

------------------------------------------

[Impact Escalation of Privileges]
true

------------------------------------------

[Impact Information Disclosure]
true

------------------------------------------

[Attack Vectors]
Write an attack script to send traversal paths under the premise of logging into AMI, You can obtain the file.

------------------------------------------

[Reference]
https://github.com/asterisk/asterisk/blob/20.5.0/main/manager.c#L3755
	[CVE ID]
	CVE-2024-49215

	[Description]
	An issue was discovered in Sangoma Asterisk through 18.20.0, 19.x and
	20.x through 20.5.0, and 21.x through 21.0.0, and Certified Asterisk
	through 18.9-cert5. In manager.c, the functions action_getconfig() and
	action_getconfigJson() do not process the input file path, resulting
	in a path traversal vulnerability. In versions without the
	restrictedFile() function, no processing is done on the input path. In
	versions with the restrictedFile() function, path traversal is not
	processed.

	------------------------------------------

	[Additional Information]
	traversal = '../../../../../../../../'
	cfg_msg = ami_msg('GetConfigJSON', {
	'ActionID': args.action_id,
	'Filename': f'{traversal}{args.file}',
	})

	------------------------------------------

	[Vulnerability Type]
	Directory Traversal

	------------------------------------------

	[Vendor of Product]
	https://github.com/asterisk/asterisk/

	------------------------------------------

	[Affected Product Code Base]
	Asterisk - Asterisk=21.0.0 Asterisk<=20.5.0 Asterisk<=18.20.0 certified-asterisk<=18.9-cert5

	------------------------------------------

	[Affected Component]
	manager.c

	------------------------------------------

	[Attack Type]
	Local

	------------------------------------------

	[Impact Escalation of Privileges]
	true

	------------------------------------------

	[Impact Information Disclosure]
	true

	------------------------------------------

	[Attack Vectors]
	Write an attack script to send traversal paths under the premise of logging into AMI, You can obtain the file.

	------------------------------------------

	[Reference]
	https://github.com/asterisk/asterisk/blob/20.5.0/main/manager.c#L3755