CVE-2025-47780
- Source
- https://cve.org/CVERecord?id=CVE-2025-47780
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-47780.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-47780
- Aliases
-
- GHSA-c7p6-7mvq-8jq2
- Downstream
- Published
- 2025-05-22T16:56:28.937Z
- Modified
- 2026-04-10T05:27:29.122537Z
- Severity
-
- 4.8 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- cli_permissions.conf: deny option does not work for disallowing shell commands
- Details
-
Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk, trying to disallow shell commands to be run via the Asterisk command line interface (CLI) by configuring
cli_permissions.conf(e.g. with the config linedeny=!*) does not work which could lead to a security risk. If an administrator running an Asterisk instance relies on thecli_permissions.conffile to work and expects it to deny all attempts to execute shell commands, then this could lead to a security vulnerability. Versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk fix the issue. - Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/47xxx/CVE-2025-47780.json", "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-78" ] }- References
Affected packages
Git / github.com/asterisk/asterisk
Affected ranges
- Type
- GIT
- Repo
- https://github.com/asterisk/asterisk
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
- Database specific
{ "versions": [ { "introduced": "0" }, { "fixed": "18.9-cert14" } ] }
- Type
- GIT
- Repo
- https://github.com/asterisk/asterisk
- Events
- Database specific
{ "versions": [ { "introduced": "18.10" }, { "fixed": "18.26.2" } ] }
- Type
- GIT
- Repo
- https://github.com/asterisk/asterisk
- Events
- Database specific
{ "versions": [ { "introduced": "20.0" }, { "fixed": "20.7-cert5" } ] }
- Type
- GIT
- Repo
- https://github.com/asterisk/asterisk
- Events
- Database specific
{ "versions": [ { "introduced": "20.8" }, { "fixed": "20.14.1" } ] }
Affected versions
18.*
18.9.0
18.9.0-rc1
20.*
20.10.0
20.10.0-rc1
20.10.0-rc2
20.11.0
20.11.0-rc1
20.11.1
20.12.0
20.12.0-rc1
20.12.0-rc2
20.13.0
20.13.0-rc1
20.14.0
20.14.0-rc1
20.8.0
20.8.1
20.9.0
20.9.0-rc1
20.9.1
20.9.2
20.9.3
21.*
21.0.0
21.0.1
21.0.2
21.1.0
21.1.0-rc1
21.1.0-rc2
21.2.0
21.2.0-rc1
21.2.0-rc2
21.3.0
21.3.0-rc1
21.3.1
21.4.0
21.4.0-rc1
21.4.1
21.4.2
21.4.3
21.5.0
21.5.0-rc1
21.5.0-rc2
21.6.0
21.6.0-rc1
21.6.1
21.7.0
21.7.0-rc1
21.7.0-rc2
21.8.0
21.8.0-rc1
21.9.0
21.9.0-rc1
22.*
22.0.0
22.1.0
22.1.0-rc1
22.1.1
22.2.0
22.2.0-rc1
22.2.0-rc2
22.3.0
22.3.0-rc1
22.4.0
22.4.0-rc1
certified-18.*
certified-18.9-cert10
certified-18.9-cert11
certified-18.9-cert12
certified-18.9-cert13
certified-18.9-cert4
certified-18.9-cert5
certified-18.9-cert6
certified-18.9-cert7
certified-18.9-cert8
certified-18.9-cert8-rc1
certified-18.9-cert8-rc2
certified-18.9-cert9
certified/18.*
certified/18.9-cert1
certified/18.9-cert1-rc1
certified/18.9-cert2
certified/18.9-cert3
certified/18.9-cert4