CVE-2024-57520

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-57520
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-57520.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-57520
Downstream
Published
2025-02-05T22:15:32.923Z
Modified
2025-11-20T12:28:52.796349Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Insecure Permissions vulnerability in asterisk v22 allows a remote attacker to execute arbitrary code via the action_createconfig function. NOTE: this is disputed by the Supplier because the impact is limited to creating empty files outside of the Asterisk product directory (aka directory traversal) and the attack can only be performed by a privileged user who has the ability to manage the configuration.

References

Affected packages

Git / github.com/asterisk/asterisk

Affected ranges

Type
GIT
Repo
https://github.com/asterisk/asterisk
Events
Introduced
8e4a09f71162ebc1e4bb2159dfc638aa2328047c
Last affected
9130399bb961771b0acd2a137c7dd64715ece417

Affected versions

22.*

22.0.0
22.1.0
22.1.0-rc1
22.1.1
22.2.0
22.2.0-rc1
22.2.0-rc2
22.3.0
22.3.0-rc1
22.4.0
22.4.0-rc1
22.5.0
22.5.0-rc1
22.5.0-rc2
22.5.0-rc3
22.5.1