← Back

CVE-2017-14100

nvd nist
Published: Sep 2, 2017Modified: May 13, 2026

JSON object

Loading...
9.8
Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitability: 3.9 / Impact: 5.9
Source: NVD

Description

In Asterisk 11.x before 11.25.2, 13.x before 13.17.1, and 14.x before 14.6.1 and Certified Asterisk 11.x before 11.6-cert17 and 13.x before 13.13-cert5, unauthorized command execution is possible. The app_minivm module has an "externnotify" program configuration option that is executed by the MinivmNotify dialplan application. The application uses the caller-id name and number as part of a built string passed to the OS shell for interpretation and execution. Since the caller-id name and number can come from an untrusted source, a crafted caller-id name or number allows an arbitrary shell command injection.

Affected (189)

Digium
2 products
Asterisk
Certified Asterisk
Configuration A
56 vulnerable
Vulnerable SoftwareAffected Versions
Digium
Asterisk
Version 13.0.0
Asterisk
Version 13.0.0 beta1
Asterisk
Version 13.0.0 beta2
Asterisk
Version 13.0.0 beta3
Asterisk
Version 13.0.1
Asterisk
Version 13.0.2
Asterisk
Version 13.1.0
Asterisk
Version 13.1.0 rc1
Asterisk
Version 13.1.0 rc2
Asterisk
Version 13.1.1
Asterisk
Version 13.10.0
Asterisk
Version 13.10.0 rc1
Asterisk
Version 13.11.0
Asterisk
Version 13.11.1
Asterisk
Version 13.11.2
Asterisk
Version 13.12.0
Asterisk
Version 13.12.1
Asterisk
Version 13.12.2
Asterisk
Version 13.12
Asterisk
Version 13.13.0
Asterisk
Version 13.13.1
Asterisk
Version 13.13
Asterisk
Version 13.14.0
Asterisk
Version 13.14.0 rc1
Asterisk
Version 13.14.0 rc2
Asterisk
Version 13.14.1
Asterisk
Version 13.15.0
Asterisk
Version 13.15.0 rc1
Asterisk
Version 13.15.0 rc2
Asterisk
Version 13.15.0 rc3
Asterisk
Version 13.15.1
Asterisk
Version 13.16.0
Asterisk
Version 13.16.0 rc1
Asterisk
Version 13.16.0 rc2
Asterisk
Version 13.17.0
Asterisk
Version 13.17.0 rc1
Asterisk
Version 13.2.0
Asterisk
Version 13.2.0 rc1
Asterisk
Version 13.2.1
Asterisk
Version 13.3.0 rc1
Asterisk
Version 13.3.2
Asterisk
Version 13.4.0
Asterisk
Version 13.4.0 rc1
Asterisk
Version 13.5.0
Asterisk
Version 13.5.0 rc1
Asterisk
Version 13.6.0 rc1
Asterisk
Version 13.7.0 rc1
Asterisk
Version 13.7.0 rc2
Asterisk
Version 13.7.1
Asterisk
Version 13.7.2
Asterisk
Version 13.8.0
Asterisk
Version 13.8.0 rc1
Asterisk
Version 13.8.1
Asterisk
Version 13.8.2
Asterisk
Version 13.9.0
Asterisk
Version 13.9.1
Configuration B
31 vulnerable
Vulnerable SoftwareAffected Versions
Digium
Asterisk
Version 14.0.0
Asterisk
Version 14.0.0 beta1
Asterisk
Version 14.0.0 beta2
Asterisk
Version 14.0.0 rc1
Asterisk
Version 14.0.0 rc2
Asterisk
Version 14.0.1
Asterisk
Version 14.0.2
Asterisk
Version 14.01
Asterisk
Version 14.02
Asterisk
Version 14.0
Asterisk
Version 14.1.0
Asterisk
Version 14.1.1
Asterisk
Version 14.1.2
Asterisk
Version 14.1
Asterisk
Version 14.2.0
Asterisk
Version 14.2.1
Asterisk
Version 14.2
Asterisk
Version 14.3.0
Asterisk
Version 14.3.0 rc1
Asterisk
Version 14.3.0 rc2
Asterisk
Version 14.3.1
Asterisk
Version 14.4.0
Asterisk
Version 14.4.0 rc1
Asterisk
Version 14.4.0 rc2
Asterisk
Version 14.4.0 rc3
Asterisk
Version 14.4.1
Asterisk
Version 14.5.0
Asterisk
Version 14.5.0 rc1
Asterisk
Version 14.5.0 rc2
Asterisk
Version 14.6.0
Asterisk
Version 14.6.0 rc1
Configuration C
74 vulnerable
Vulnerable SoftwareAffected Versions
Digium
Asterisk
Version 11.0.0
Asterisk
Version 11.0.0 beta1
Asterisk
Version 11.0.0 beta2
Asterisk
Version 11.0.0 rc1
Asterisk
Version 11.0.0 rc2
Asterisk
Version 11.0.1
Asterisk
Version 11.0.2
Asterisk
Version 11.1.0
Asterisk
Version 11.1.0 rc1
Asterisk
Version 11.1.0 rc2
Asterisk
Version 11.1.0 rc3
Asterisk
Version 11.1.1
Asterisk
Version 11.1.2
Asterisk
Version 11.10.0
Asterisk
Version 11.10.0 rc1
Asterisk
Version 11.10.1
Asterisk
Version 11.10.1 rc1
Asterisk
Version 11.10.2
Asterisk
Version 11.11.0
Asterisk
Version 11.11.0 rc1
Asterisk
Version 11.12.0
Asterisk
Version 11.12.0 rc1
Asterisk
Version 11.12.1
Asterisk
Version 11.13.0
Asterisk
Version 11.13.0 rc1
Asterisk
Version 11.13.1
Asterisk
Version 11.14.0
Asterisk
Version 11.14.0 rc1
Asterisk
Version 11.14.0 rc2
Asterisk
Version 11.14.1
Asterisk
Version 11.14.2
Asterisk
Version 11.15.0 rc1
Asterisk
Version 11.15.0 rc2
Asterisk
Version 11.15.1
Asterisk
Version 11.16.0 rc1
Asterisk
Version 11.17.0 rc1
Asterisk
Version 11.17.1
Asterisk
Version 11.18.0
Asterisk
Version 11.18.0 rc1
Asterisk
Version 11.19.0 rc1
Asterisk
Version 11.2.0 rc1
Asterisk
Version 11.2.1
Asterisk
Version 11.2.2
Asterisk
Version 11.20.0 rc1
Asterisk
Version 11.21.0 rc1
Asterisk
Version 11.21.0 rc2
Asterisk
Version 11.21.1
Asterisk
Version 11.21.2
Asterisk
Version 11.22.0
Asterisk
Version 11.22.0 rc1
Asterisk
Version 11.23.0
Asterisk
Version 11.23.0 rc1
Asterisk
Version 11.23.1
Asterisk
Version 11.24.0
Asterisk
Version 11.24.1
Asterisk
Version 11.25.0
Asterisk
Version 11.25.1
Asterisk
Version 11.4.0 rc4
Asterisk
Version 11.6.0
Asterisk
Version 11.6.0 rc1
Asterisk
Version 11.6.0 rc2
Asterisk
Version 11.6.1
Asterisk
Version 11.7.0
Asterisk
Version 11.7.0 rc1
Asterisk
Version 11.7.0 rc2
Asterisk
Version 11.8.0
Asterisk
Version 11.8.0 rc1
Asterisk
Version 11.8.0 rc2
Asterisk
Version 11.8.0 rc3
Asterisk
Version 11.8.1
Asterisk
Version 11.9.0
Asterisk
Version 11.9.0 rc1
Asterisk
Version 11.9.0 rc2
Asterisk
Version 11.9.0 rc3
Configuration D
20 vulnerable
Vulnerable SoftwareAffected Versions
Digium
Certified Asterisk
Version 11.6 cert10
Certified Asterisk
Version 11.6 cert11
Certified Asterisk
Version 11.6 cert12
Certified Asterisk
Version 11.6 cert13
Certified Asterisk
Version 11.6 cert14
Certified Asterisk
Version 11.6 cert14_rc1
Certified Asterisk
Version 11.6 cert14_rc2
Certified Asterisk
Version 11.6 cert15
Certified Asterisk
Version 11.6 cert16
Certified Asterisk
Version 11.6 cert1
Certified Asterisk
Version 11.6 cert1_rc1
Certified Asterisk
Version 11.6 cert1_rc2
Certified Asterisk
Version 11.6 cert2
Certified Asterisk
Version 11.6 cert3
Certified Asterisk
Version 11.6 cert4
Certified Asterisk
Version 11.6 cert5
Certified Asterisk
Version 11.6 cert6
Certified Asterisk
Version 11.6 cert7
Certified Asterisk
Version 11.6 cert8
Certified Asterisk
Version 11.6 cert9
Configuration E
8 vulnerable
Vulnerable SoftwareAffected Versions
Digium
Certified Asterisk
Version 13.13 cert1
Certified Asterisk
Version 13.13 cert1_rc1
Certified Asterisk
Version 13.13 cert1_rc2
Certified Asterisk
Version 13.13 cert1_rc3
Certified Asterisk
Version 13.13 cert1_rc4
Certified Asterisk
Version 13.13 cert2
Certified Asterisk
Version 13.13 cert3
Certified Asterisk
Version 13.13 cert4

Related CWEs

CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (12)

Source: cve@mitre.org
Vendor Advisory
Source: cve@mitre.org
Source: cve@mitre.org
Third Party AdvisoryVDB Entry
Source: cve@mitre.org
Issue TrackingPatchThird Party Advisory
Source: cve@mitre.org
Issue TrackingPatchThird Party Advisory
Source: cve@mitre.org
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party AdvisoryVDB Entry
Source: af854a3a-2127-422b-91ae-364da2661108
Issue TrackingPatchThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Issue TrackingPatchThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.