CVE-2017-14100
- Source
- https://cve.org/CVERecord?id=CVE-2017-14100
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-14100.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2017-14100
- Downstream
- Published
- 2017-09-02T16:29:00.333Z
- Modified
- 2026-02-13T08:10:24.148305Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
In Asterisk 11.x before 11.25.2, 13.x before 13.17.1, and 14.x before 14.6.1 and Certified Asterisk 11.x before 11.6-cert17 and 13.x before 13.13-cert5, unauthorized command execution is possible. The app_minivm module has an "externnotify" program configuration option that is executed by the MinivmNotify dialplan application. The application uses the caller-id name and number as part of a built string passed to the OS shell for interpretation and execution. Since the caller-id name and number can come from an untrusted source, a crafted caller-id name or number allows an arbitrary shell command injection.
- References
-
- http://downloads.asterisk.org/pub/security/AST-2017-006.html
- http://www.debian.org/security/2017/dsa-3964
- http://www.securitytracker.com/id/1039252
- https://bugs.debian.org/873908
- https://issues.asterisk.org/jira/browse/ASTERISK-27103
- https://security.gentoo.org/glsa/201710-29
- https://bugs.debian.org/873908
- https://issues.asterisk.org/jira/browse/ASTERISK-27103
- https://bugs.debian.org/873908
- https://issues.asterisk.org/jira/browse/ASTERISK-27103