Privilege escalation in Asterisk
CVE-2024-42365
Asterisk is an open source private branch exchange (PBX) and telephony toolkit. Prior to asterisk versions 18.24.2, 20.9.2, and 21.4.2 and certified-asterisk versions 18.9-cert11 and 20.7-cert2, an AMI user with `write=originate` may chang…
EPSS: 0.320 (96.9th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 7.4 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L.
Affected products
- Asterisk — versions < 18.24.2, >= 19.0.0, < 20.9.2, >= 21.0.0, < 21.4.2
Weakness classification (CWE)
Public proof-of-concept exploits
References
- https://github.com/asterisk/asterisk/security/advisories/GHSA-c4cg-9275-6w44 (x_refsource_CONFIRM)
- https://github.com/asterisk/asterisk/commit/42a2f4ccfa2c7062a15063e765916b3332e34cc4 (x_refsource_MISC)
- https://github.com/asterisk/asterisk/commit/7a0090325bfa9d778a39ae5f7d0a98109e4651c8 (x_refsource_MISC)
- https://github.com/asterisk/asterisk/commit/b4063bf756272254b160b6d1bd6e9a3f8e16cc71 (x_refsource_MISC)
- https://github.com/asterisk/asterisk/commit/bbe68db10ab8a80c29db383e4dfe14f6eafaf993 (x_refsource_MISC)
- https://github.com/asterisk/asterisk/commit/faddd99f2b9408b524e5eb8a01589fe1fa282df2 (x_refsource_MISC)
- https://github.com/asterisk/asterisk/blob/14367caaf7241df1eceea7c45c5b261989c2c6db/main/manager.c#L6426 (x_refsource_MISC)
- https://github.com/asterisk/asterisk/blob/7d28165cb1b2d02d66e8693bd3fe23ee72fc55d8/main/manager.c#L6426 (x_refsource_MISC)
Frequently asked questions
- What is CVE-2024-42365?
- CVE-2024-42365 is a high-severity vulnerability in Asterisk, classified under Privilege Defined With Unsafe Actions. CVSS score: 7.4/10. Published 2024-08-08.
- How severe is CVE-2024-42365?
- High severity. CVSS v3 base score is 7.4 out of 10.
- Is CVE-2024-42365 known to be exploited?
- 3 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.