CVE-2025-47780

Опубликовано: 22 мая 2025

Источник: nvd

CVSS3: 7.8

EPSS Низкий

Описание

Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk, trying to disallow shell commands to be run via the Asterisk command line interface (CLI) by configuring cli_permissions.conf (e.g. with the config line deny=!*) does not work which could lead to a security risk. If an administrator running an Asterisk instance relies on the cli_permissions.conf file to work and expects it to deny all attempts to execute shell commands, then this could lead to a security vulnerability. Versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk fix the issue.

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*

Версия до 18.26.2 (исключая)

cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*

Версия от 20.0.0 (включая) до 20.14.1 (исключая)

cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*

Версия от 21.0.0 (включая) до 21.9.1 (исключая)

cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*

Версия от 22.0.0 (включая) до 22.4.1 (исключая)

Конфигурация 2

Одно из

cpe:2.3:a:sangoma:certified_asterisk:*:*:*:*:*:*:*:*

Версия до 18.9 (исключая)

cpe:2.3:a:sangoma:certified_asterisk:18.9:-:*:*:*:*:*:*

cpe:2.3:a:sangoma:certified_asterisk:18.9:cert1:*:*:*:*:*:*

cpe:2.3:a:sangoma:certified_asterisk:18.9:cert1-rc1:*:*:*:*:*:*

cpe:2.3:a:sangoma:certified_asterisk:18.9:cert10:*:*:*:*:*:*

cpe:2.3:a:sangoma:certified_asterisk:18.9:cert11:*:*:*:*:*:*

cpe:2.3:a:sangoma:certified_asterisk:18.9:cert12:*:*:*:*:*:*

cpe:2.3:a:sangoma:certified_asterisk:18.9:cert13:*:*:*:*:*:*

cpe:2.3:a:sangoma:certified_asterisk:18.9:cert2:*:*:*:*:*:*

cpe:2.3:a:sangoma:certified_asterisk:18.9:cert3:*:*:*:*:*:*

cpe:2.3:a:sangoma:certified_asterisk:18.9:cert4:*:*:*:*:*:*

cpe:2.3:a:sangoma:certified_asterisk:18.9:cert5:*:*:*:*:*:*

cpe:2.3:a:sangoma:certified_asterisk:18.9:cert6:*:*:*:*:*:*

cpe:2.3:a:sangoma:certified_asterisk:18.9:cert7:*:*:*:*:*:*

cpe:2.3:a:sangoma:certified_asterisk:18.9:cert8:*:*:*:*:*:*

cpe:2.3:a:sangoma:certified_asterisk:18.9:cert8-rc1:*:*:*:*:*:*

cpe:2.3:a:sangoma:certified_asterisk:18.9:cert8-rc2:*:*:*:*:*:*

cpe:2.3:a:sangoma:certified_asterisk:18.9:cert9:*:*:*:*:*:*

cpe:2.3:a:sangoma:certified_asterisk:20.7:cert1:*:*:*:*:*:*

cpe:2.3:a:sangoma:certified_asterisk:20.7:cert1-rc1:*:*:*:*:*:*

cpe:2.3:a:sangoma:certified_asterisk:20.7:cert1-rc2:*:*:*:*:*:*

cpe:2.3:a:sangoma:certified_asterisk:20.7:cert2:*:*:*:*:*:*

cpe:2.3:a:sangoma:certified_asterisk:20.7:cert3:*:*:*:*:*:*

cpe:2.3:a:sangoma:certified_asterisk:20.7:cert4:*:*:*:*:*:*

EPSS

Процентиль: 29%

0.00103

Низкий

7.8 High

CVSS3

Дефекты

CWE-78

Связанные уязвимости

CVE-2025-47780

CVSS3: 7.8

ubuntu

9 месяцев назад

Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk, trying to disallow shell commands to be run via the Asterisk command line interface (CLI) by configuring `cli_permissions.conf` (e.g. with the config line `deny=!*`) does not work which could lead to a security risk. If an administrator running an Asterisk instance relies on the `cli_permissions.conf` file to work and expects it to deny all attempts to execute shell commands, then this could lead to a security vulnerability. Versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk fix the issue.

CVE-2025-47780

CVSS3: 7.8

debian

9 месяцев назад

Asterisk is an open-source private branch exchange (PBX). Prior to ver ...

EPSS

Процентиль: 29%

0.00103

Низкий

7.8 High

CVSS3

Дефекты

CWE-78