9.8
CVE-2017-14100
- EPSS 34.96%
- Veröffentlicht 02.09.2017 16:29:00
- Zuletzt bearbeitet 20.04.2025 01:37:25
- Quelle cve@mitre.org
- Teams Watchlist Login
- Unerledigt Login
In Asterisk 11.x before 11.25.2, 13.x before 13.17.1, and 14.x before 14.6.1 and Certified Asterisk 11.x before 11.6-cert17 and 13.x before 13.13-cert5, unauthorized command execution is possible. The app_minivm module has an "externnotify" program configuration option that is executed by the MinivmNotify dialplan application. The application uses the caller-id name and number as part of a built string passed to the OS shell for interpretation and execution. Since the caller-id name and number can come from an untrusted source, a crafted caller-id name or number allows an arbitrary shell command injection.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Digium ≫ Certified Asterisk Version11.6 Updatecert1
Digium ≫ Certified Asterisk Version11.6 Updatecert1_rc1
Digium ≫ Certified Asterisk Version11.6 Updatecert1_rc2
Digium ≫ Certified Asterisk Version11.6 Updatecert10
Digium ≫ Certified Asterisk Version11.6 Updatecert11
Digium ≫ Certified Asterisk Version11.6 Updatecert12
Digium ≫ Certified Asterisk Version11.6 Updatecert13
Digium ≫ Certified Asterisk Version11.6 Updatecert14
Digium ≫ Certified Asterisk Version11.6 Updatecert14_rc1
Digium ≫ Certified Asterisk Version11.6 Updatecert14_rc2
Digium ≫ Certified Asterisk Version11.6 Updatecert15
Digium ≫ Certified Asterisk Version11.6 Updatecert16
Digium ≫ Certified Asterisk Version11.6 Updatecert2
Digium ≫ Certified Asterisk Version11.6 Updatecert3
Digium ≫ Certified Asterisk Version11.6 Updatecert4
Digium ≫ Certified Asterisk Version11.6 Updatecert5
Digium ≫ Certified Asterisk Version11.6 Updatecert6
Digium ≫ Certified Asterisk Version11.6 Updatecert7
Digium ≫ Certified Asterisk Version11.6 Updatecert8
Digium ≫ Certified Asterisk Version11.6 Updatecert9
Digium ≫ Certified Asterisk Version13.13 Updatecert1
Digium ≫ Certified Asterisk Version13.13 Updatecert1_rc1
Digium ≫ Certified Asterisk Version13.13 Updatecert1_rc2
Digium ≫ Certified Asterisk Version13.13 Updatecert1_rc3
Digium ≫ Certified Asterisk Version13.13 Updatecert1_rc4
Digium ≫ Certified Asterisk Version13.13 Updatecert2
Digium ≫ Certified Asterisk Version13.13 Updatecert3
Digium ≫ Certified Asterisk Version13.13 Updatecert4
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 34.96% | 0.969 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 7.5 | 10 | 6.4 |
AV:N/AC:L/Au:N/C:P/I:P/A:P
|
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.