CVE-2023-26567

Опубликовано: 26 апр. 2023

Источник: nvd

CVSS3: 8.1

EPSS Низкий

Описание

Sangoma FreePBX 1805 through 2302 (when obtained as a ,.ISO file) places AMPDBUSER, AMPDBPASS, AMPMGRUSER, and AMPMGRPASS in the list of global variables. This exposes cleartext authentication credentials for the Asterisk Database (MariaDB/MySQL) and Asterisk Manager Interface. For example, an attacker can make a /ari/asterisk/variable?variable=AMPDBPASS API call.

Ссылки

https://qsecure.com.cy/resources/advisories/sangoma-freepbx-linux-insecure-permissions
Third Party Advisory
https://www.freepbx.org
Product
https://www.sangoma.com/products/open-source/
Product
https://qsecure.com.cy/resources/advisories/sangoma-freepbx-linux-insecure-permissions
Third Party Advisory
https://www.freepbx.org
Product
https://www.sangoma.com/products/open-source/
Product

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:sangoma:freepbx_linux_7:1805:*:*:*:*:*:*:*

cpe:2.3:a:sangoma:freepbx_linux_7:1904:*:*:*:*:*:*:*

cpe:2.3:a:sangoma:freepbx_linux_7:1910:*:*:*:*:*:*:*

cpe:2.3:a:sangoma:freepbx_linux_7:2002:*:*:*:*:*:*:*

cpe:2.3:a:sangoma:freepbx_linux_7:2008:*:*:*:*:*:*:*

cpe:2.3:a:sangoma:freepbx_linux_7:2011:*:*:*:*:*:*:*

cpe:2.3:a:sangoma:freepbx_linux_7:2104:*:*:*:*:*:*:*

cpe:2.3:a:sangoma:freepbx_linux_7:2105:*:*:*:*:*:*:*

cpe:2.3:a:sangoma:freepbx_linux_7:2109:*:*:*:*:*:*:*

cpe:2.3:a:sangoma:freepbx_linux_7:2112:*:*:*:*:*:*:*

cpe:2.3:a:sangoma:freepbx_linux_7:2201:*:*:*:*:*:*:*

cpe:2.3:a:sangoma:freepbx_linux_7:2202:*:*:*:*:*:*:*

cpe:2.3:a:sangoma:freepbx_linux_7:2203:*:*:*:*:*:*:*

cpe:2.3:a:sangoma:freepbx_linux_7:2302:*:*:*:*:*:*:*

EPSS

Процентиль: 29%

0.00104

Низкий

8.1 High

CVSS3

Дефекты

CWE-522

Связанные уязвимости

GHSA-356c-rcq8-p23g