CVE-2022-26651
high-risk
Published 2022-04-15
An issue was discovered in Asterisk through 19.x and Certified Asterisk through 16.8-cert13. The func_odbc module provides possibly inadequate escaping functionality for backslash characters in SQL queries, resulting in user-provided data creating a broken SQL query or possibly a SQL injection. This is fixed in 16.25.2, 18.11.2, and 19.3.2, and 16.8-cert14.
Do I need to act?
-
0.44% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10
Critical
NETWORK
/ LOW complexity
Affected Products (20)
References (10)
Third Party Advisory
http://packetstormsecurity.com/files/166746/Asterisk-Project-Security-Advisory-A...
Vendor Advisory
https://downloads.asterisk.org/pub/security/
Vendor Advisory
https://downloads.asterisk.org/pub/security/AST-2022-003.html
Third Party Advisory
https://www.debian.org/security/2022/dsa-5285
Third Party Advisory
http://packetstormsecurity.com/files/166746/Asterisk-Project-Security-Advisory-A...
Vendor Advisory
https://downloads.asterisk.org/pub/security/
Vendor Advisory
https://downloads.asterisk.org/pub/security/AST-2022-003.html
Third Party Advisory
https://www.debian.org/security/2022/dsa-5285
55
/ 100
high-risk
Severity
32/34 · Critical
Exploitability
2/34 · Minimal
Exposure
21/34 · High