Last active
February 13, 2025 18:11
-
-
Save hyp164D1/ae76ab25acfbe263b2ed7b24b6e5c621 to your computer and use it in GitHub Desktop.
CVE-2024-57520.txt
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [Suggested description] | |
| Insecure Permissions vulnerability in asterisk v22 allows a remote | |
| attacker to execute arbitrary code via the action_createconfig function | |
| ------------------------------------------ | |
| [Vulnerability Type] | |
| Insecure Permissions | |
| ------------------------------------------ | |
| [Vendor of Product] | |
| asterisk | |
| ------------------------------------------ | |
| [Affected Product Code Base] | |
| asterisk - asterisk 22 | |
| ------------------------------------------ | |
| [Affected Component] | |
| manager.c action_createconfig() | |
| ------------------------------------------ | |
| [Attack Type] | |
| Remote | |
| ------------------------------------------ | |
| [CVE Impact Other] | |
| Unrestricted creation of configuration files, resulting in system resource consumption. | |
| ------------------------------------------ | |
| [Attack Vectors] | |
| Attackers can remotely log into AMI and create configuration files without restrictions. | |
| ------------------------------------------ | |
| [Reference] | |
| https://github.com/asterisk/asterisk/blob/3c299d2aa03a2f1f2b6d93ab5661eac900308118/main/manager.c#L4188 | |
| https://docs.asterisk.org/Asterisk_22_Documentation/API_Documentation/AMI_Actions/CreateConfig/ |
In regards to this specific security vulnerability it would also be useful if you could define what "without restrictions" means from your perspective. Are you referring to being able to create files outside of a directory? Unlimited files thus exhausting disk space? Specific details on a security vulnerability filed with us would be great.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Greetings,
I'm the Asterisk Project Lead. Before disclosing security vulnerabilities on gists and requesting a CVE, can you please file a security vulnerability with the Asterisk project at https://github.com/asterisk/asterisk/security so we can investigate and have security releases prepared if applicable?
Thanks,