An issue was discovered in Asterisk through 19.x and Certified Asterisk through 16.8-cert13. The func_odbc module provides possibly inadequate escaping functionality for backslash characters in SQL queries, resulting in user-provided data creating a broken SQL query or possibly a SQL injection. This is fixed in 16.25.2, 18.11.2, and 19.3.2, and 16.8-cert14.
2022-04-15T05:15:06.683
2024-11-21T06:54:15.633
Modified
CVSSv3.1: 9.8 (CRITICAL)
AV:N/AC:L/Au:N/C:P/I:P/A:P
10.0
6.4
Type | Vendor | Product | Version/Range | Vulnerable? |
---|---|---|---|---|
Application | digium | asterisk | < 16.25.2 | Yes |
Application | digium | asterisk | < 18.11.2 | Yes |
Application | digium | asterisk | < 19.3.2 | Yes |
Application | digium | certified_asterisk | 16.8 | Yes |
Application | digium | certified_asterisk | 16.8 | Yes |
Application | digium | certified_asterisk | 16.8 | Yes |
Application | digium | certified_asterisk | 16.8 | Yes |
Application | digium | certified_asterisk | 16.8 | Yes |
Application | digium | certified_asterisk | 16.8 | Yes |
Application | digium | certified_asterisk | 16.8 | Yes |
Application | digium | certified_asterisk | 16.8 | Yes |
Application | digium | certified_asterisk | 16.8 | Yes |
Application | digium | certified_asterisk | 16.8 | Yes |
Application | digium | certified_asterisk | 16.8 | Yes |
Application | digium | certified_asterisk | 16.8 | Yes |
Application | digium | certified_asterisk | 16.8 | Yes |
Application | digium | certified_asterisk | 16.8 | Yes |
Application | digium | certified_asterisk | 16.8 | Yes |
Application | digium | certified_asterisk | 16.8 | Yes |
Application | digium | certified_asterisk | 16.8 | Yes |
Application | digium | certified_asterisk | 16.8 | Yes |
Application | digium | certified_asterisk | 16.8 | Yes |
Application | digium | certified_asterisk | 16.8 | Yes |
Application | digium | certified_asterisk | 16.8 | Yes |
Operating System | debian | debian_linux | 10.0 | Yes |
Operating System | debian | debian_linux | 11.0 | Yes |