DEBIAN-CVE-2026-23738

See a problem?
Please try reporting it to the source first.
Source
https://security-tracker.debian.org/tracker/CVE-2026-23738
Import Source
https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-23738.json
JSON Data
https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-23738
Upstream
Published
2026-02-06T17:16:26Z
Modified
2026-02-19T17:01:22.199977Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, user supplied/control values for Cookies and any GET variable query Parameter are directly interpolated into the HTML of the page using aststrappend. The endpoint at GET /httpstatus is the potential vulnerable endpoint relating to asterisk/main /http.c. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2.

References

Affected packages

Debian:11 / asterisk

Package

Name
asterisk
Purl
pkg:deb/debian/asterisk?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1:16.*
1:16.16.1~dfsg-1
1:16.16.1~dfsg-1+deb11u1~bpo10+1
1:16.16.1~dfsg-1+deb11u1
1:16.16.1~dfsg-2
1:16.16.1~dfsg-3
1:16.16.1~dfsg-4
1:16.16.1~dfsg+~2.10-1
1:16.16.1~dfsg+~2.10-2
1:16.23.0~dfsg+~2.10-1
1:16.23.0~dfsg+~cs6.10.20220309-1
1:16.23.0~dfsg+~cs6.10.20220309-2
1:16.23.0~dfsg+~cs6.10.40431411-1
1:16.28.0~dfsg-0+deb11u1
1:16.28.0~dfsg-0+deb11u2
1:16.28.0~dfsg-0+deb11u3
1:16.28.0~dfsg-0+deb11u4
1:16.28.0~dfsg-0+deb11u5
1:16.28.0~dfsg-0+deb11u6
1:16.28.0~dfsg-0+deb11u7
1:16.28.0~dfsg-0+deb11u8
1:18.*
1:18.9.0~dfsg+~cs6.10.40431411-1
1:18.10.0~dfsg+~cs6.10.40431411-1
1:18.10.0~dfsg+~cs6.10.40431411-2
1:18.10.1~dfsg+~cs6.10.40431411-1
1:18.11.1~dfsg+~cs6.10.40431413-1
1:18.11.2~dfsg+~cs6.10.40431413-1
1:18.12.0~dfsg+~cs6.12.40431413-1
1:18.14.0~~rc1~dfsg+~cs6.12.40431414-1
1:18.14.0~dfsg+~cs6.12.40431414-1
1:20.*
1:20.0.0~~rc1~dfsg+~cs6.12.40431414-1
1:20.0.0~~rc2~dfsg+~cs6.12.40431414-1
1:20.0.0~dfsg+~cs6.12.40431414-1
1:20.0.0~dfsg+~cs6.12.40431414-2
1:20.0.1~dfsg+~cs6.12.40431414-1
1:20.1.0~~rc2~dfsg+~cs6.12.40431414-1
1:20.1.0~dfsg+~cs6.12.40431414-1
1:20.2.1~dfsg+~cs6.13.40431413-1
1:20.3.0~dfsg+~cs6.13.40431413-1
1:20.4.0~dfsg+~cs6.13.40431414-1
1:20.4.0~dfsg+~cs6.13.40431414-2
1:20.5.0~dfsg+~cs6.13.40431414-1
1:20.5.1~dfsg+~cs6.13.40431414-1
1:20.5.2~dfsg+~cs6.13.40431414-1
1:20.6.0~dfsg+~cs6.13.40431414-1
1:20.6.0~dfsg+~cs6.13.40431414-2
1:20.8.1~dfsg+~cs6.14.40431414-1
1:20.9.3~dfsg+~cs6.14.60671435-1
1:22.*
1:22.0.0~~rc2~dfsg+~cs6.14.60671435-1
1:22.0.0~dfsg+~cs6.14.60671435-1
1:22.1.0~dfsg+~cs6.14.60671435-1
1:22.1.1~dfsg+~cs6.14.60671435-1
1:22.2.0~dfsg+~cs6.15.60671435-1
1:22.2.0~dfsg+~cs6.15.60671435-2
1:22.3.0~~rc1~dfsg+~cs6.15.60671435-1
1:22.3.0~dfsg+~cs6.15.60671435-1
1:22.4.1~dfsg+~cs6.15.60671435-1
1:22.4.1~dfsg+~cs6.15.60671435-2
1:22.5.1~dfsg+~cs6.15.60671435-1
1:22.5.2~dfsg+~cs6.15.60671435-1
1:22.6.0~dfsg+~cs6.15.60671435-1
1:22.7.0~dfsg+~cs6.15.60671435-1
1:22.8.0+dfsg+~cs6.15.60671435-1
1:22.8.2+dfsg+~cs6.15.60671435-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-23738.json"