9.8

CVE-2024-57520

EPSS 1.36%
Veröffentlicht 05.02.2025 22:15:32
Zuletzt bearbeitet 06.11.2025 13:15:35
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

Insecure Permissions vulnerability in asterisk v22 allows a remote attacker to execute arbitrary code via the action_createconfig function. NOTE: this is disputed by the Supplier because the impact is limited to creating empty files outside of the Asterisk product directory (aka directory traversal) and the attack can only be performed by a privileged user who has the ability to manage the configuration.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Sangoma ≫ Asterisk Version >= 22.0.0 <= 22.5.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.36%	0.797

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-732 Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

https://gist.github.com/hyp164D1/ae76ab25acfbe263b2ed7b24b6e5c621

Third Party Advisory

https://github.com/asterisk/asterisk/issues/1122

https://nvd.nist.gov/vuln/detail/CVE-2024-57520

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-57520

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-57520

EUVD