← Back

CVE-2022-26651

nvd nist
Published: Apr 15, 2022Modified: Nov 21, 2024

JSON object

Loading...
9.8
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitability: 3.9 / Impact: 5.9
Source: NVD

Description

An issue was discovered in Asterisk through 19.x and Certified Asterisk through 16.8-cert13. The func_odbc module provides possibly inadequate escaping functionality for backslash characters in SQL queries, resulting in user-provided data creating a broken SQL query or possibly a SQL injection. This is fixed in 16.25.2, 18.11.2, and 19.3.2, and 16.8-cert14.

Affected (26)

Digium
2 products
Asterisk
Certified Asterisk
Debian
1 product
Debian Linux
Configuration A
24 vulnerable
Vulnerable SoftwareAffected Versions
Digium
Asterisk
From 16.0.0 to 16.25.2
Asterisk
From 18.0 to 18.11.2
Asterisk
From 19.0.0 to 19.3.2
Digium
Certified Asterisk
Version 16.8
Certified Asterisk
Version 16.8 cert1-rc1
Certified Asterisk
Version 16.8 cert1-rc2
Certified Asterisk
Version 16.8 cert1-rc3
Certified Asterisk
Version 16.8 cert1-rc4
Certified Asterisk
Version 16.8 cert10
Certified Asterisk
Version 16.8 cert11
Certified Asterisk
Version 16.8 cert12
Certified Asterisk
Version 16.8 cert13
Certified Asterisk
Version 16.8 cert2
Certified Asterisk
Version 16.8 cert3
Certified Asterisk
Version 16.8 cert4-rc1
Certified Asterisk
Version 16.8 cert4-rc2
Certified Asterisk
Version 16.8 cert4-rc3
Certified Asterisk
Version 16.8 cert4-rc4
Certified Asterisk
Version 16.8 cert4
Certified Asterisk
Version 16.8 cert5
Certified Asterisk
Version 16.8 cert6
Certified Asterisk
Version 16.8 cert7
Certified Asterisk
Version 16.8 cert8
Certified Asterisk
Version 16.8 cert9
Configuration B
2 vulnerable
Vulnerable SoftwareAffected Versions
Debian
Debian Linux
Version 10.0
Debian Linux
Version 11.0

Related CWEs

CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

References (10)

Source: cve@mitre.org
Third Party AdvisoryVDB Entry
Source: cve@mitre.org
Vendor Advisory
Source: cve@mitre.org
Vendor Advisory
Source: cve@mitre.org
Mailing ListThird Party Advisory
Source: cve@mitre.org
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party AdvisoryVDB Entry
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing ListThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory

Timeline

No history available yet.