Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-42365

Asterisk is an open source private branch exchange (PBX) and telephony toolkit. Prior to asterisk versions 18.24.2, 20.9.2, and 21.4.2 and certified-asterisk versions 18.9-cert11 and 20.7-cert2, an AMI user with `write=originate` may change all configuration files in the `/etc/asterisk/` directory. This occurs because they are able to curl remote files and write them to disk, but are also able to append to existing files using the `FILE` function inside the `SET` application. This issue may result in privilege escalation, remote code execution and/or blind server-side request forgery with arbitrary protocol. Asterisk versions 18.24.2, 20.9.2, and 21.4.2 and certified-asterisk versions 18.9-cert11 and 20.7-cert2 contain a fix for this issue.

Security Impact Summary

This vulnerability carries a HIGH severity rating with a CVSS v3.1 score of 7.4, indicating it can be exploited remotely over the network with relatively low complexity without requiring user interaction requiring only low-level privileges . The vulnerability impacts limited data confidentiality, limited integrity, and limited availability for affected systems. Impacting 2 products from asterisk, from asterisk organizations running these solutions should prioritize assessment and patching.

Historical Context

Reported in 2024, this vulnerability emerged during an era marked by increased sophistication in supply chain attacks, cloud infrastructure vulnerabilities, and software-as-a-service (SaaS) security challenges. Security practices during this period emphasized zero-trust architectures, container security, and API protection.

Published

2024-08-08T17:15:19.340

Last Modified

2025-11-03T22:18:05.417

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.4 (HIGH)

Weaknesses

Type: Secondary
CWE-267
CWE-1220
Type: Primary
NVD-CWE-Other

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	asterisk	asterisk	< 18.24.2	Yes
Application	asterisk	asterisk	< 20.9.1	Yes
Application	asterisk	asterisk	21.4.0	Yes
Application	asterisk	certified_asterisk	13.13.0	Yes
Application	asterisk	certified_asterisk	13.13.0	Yes
Application	asterisk	certified_asterisk	13.13.0	Yes
Application	asterisk	certified_asterisk	13.13.0	Yes
Application	asterisk	certified_asterisk	13.13.0	Yes
Application	asterisk	certified_asterisk	13.13.0	Yes
Application	asterisk	certified_asterisk	13.13.0	Yes
Application	asterisk	certified_asterisk	13.13.0	Yes
Application	asterisk	certified_asterisk	13.13.0	Yes
Application	asterisk	certified_asterisk	13.13.0	Yes
Application	asterisk	certified_asterisk	16.8	Yes
Application	asterisk	certified_asterisk	16.8	Yes
Application	asterisk	certified_asterisk	16.8	Yes
Application	asterisk	certified_asterisk	16.8	Yes
Application	asterisk	certified_asterisk	16.8	Yes
Application	asterisk	certified_asterisk	16.8	Yes
Application	asterisk	certified_asterisk	16.8	Yes
Application	asterisk	certified_asterisk	16.8	Yes
Application	asterisk	certified_asterisk	16.8	Yes
Application	asterisk	certified_asterisk	16.8	Yes
Application	asterisk	certified_asterisk	16.8	Yes
Application	asterisk	certified_asterisk	16.8	Yes
Application	asterisk	certified_asterisk	16.8	Yes
Application	asterisk	certified_asterisk	16.8	Yes
Application	asterisk	certified_asterisk	16.8.0	Yes
Application	asterisk	certified_asterisk	16.8.0	Yes
Application	asterisk	certified_asterisk	16.8.0	Yes
Application	asterisk	certified_asterisk	16.8.0	Yes
Application	asterisk	certified_asterisk	16.8.0	Yes
Application	asterisk	certified_asterisk	16.8.0	Yes
Application	asterisk	certified_asterisk	16.8.0	Yes
Application	asterisk	certified_asterisk	16.8.0	Yes
Application	asterisk	certified_asterisk	16.8.0	Yes
Application	asterisk	certified_asterisk	16.8.0	Yes
Application	asterisk	certified_asterisk	16.8.0	Yes
Application	asterisk	certified_asterisk	16.8.0	Yes
Application	asterisk	certified_asterisk	16.8.0	Yes
Application	asterisk	certified_asterisk	18.9	Yes
Application	asterisk	certified_asterisk	18.9	Yes
Application	asterisk	certified_asterisk	18.9	Yes
Application	asterisk	certified_asterisk	18.9	Yes
Application	asterisk	certified_asterisk	18.9	Yes
Application	asterisk	certified_asterisk	18.9	Yes
Application	asterisk	certified_asterisk	18.9	Yes
Application	asterisk	certified_asterisk	18.9	Yes
Application	asterisk	certified_asterisk	18.9	Yes
Application	asterisk	certified_asterisk	18.9	Yes
Application	asterisk	certified_asterisk	18.9	Yes
Application	asterisk	certified_asterisk	18.9	Yes
Application	asterisk	certified_asterisk	18.9	Yes
Application	asterisk	certified_asterisk	20.7	Yes
Application	asterisk	certified_asterisk	20.7	Yes
Application	asterisk	certified_asterisk	20.7	Yes

References

https://github.com/asterisk/asterisk/blob/14367caaf7241df1eceea7c45c5b261989c2c6db/main/manager.c#L6426 Issue Tracking ([email protected])
https://github.com/asterisk/asterisk/blob/7d28165cb1b2d02d66e8693bd3fe23ee72fc55d8/main/manager.c#L6426 Issue Tracking ([email protected])
https://github.com/asterisk/asterisk/commit/42a2f4ccfa2c7062a15063e765916b3332e34cc4 Patch ([email protected])
https://github.com/asterisk/asterisk/commit/7a0090325bfa9d778a39ae5f7d0a98109e4651c8 Patch ([email protected])
https://github.com/asterisk/asterisk/commit/b4063bf756272254b160b6d1bd6e9a3f8e16cc71 Patch ([email protected])
https://github.com/asterisk/asterisk/commit/bbe68db10ab8a80c29db383e4dfe14f6eafaf993 Patch ([email protected])
https://github.com/asterisk/asterisk/commit/faddd99f2b9408b524e5eb8a01589fe1fa282df2 Patch ([email protected])
https://github.com/asterisk/asterisk/security/advisories/GHSA-c4cg-9275-6w44 Exploit, Technical Description, Vendor Advisory ([email protected])
https://lists.debian.org/debian-lts-announce/2024/10/msg00016.html (af854a3a-2127-422b-91ae-364da2661108)

How SecUtils Interprets This CVE

SecUtils normalizes and enriches National Vulnerability Database (NVD) records by standardizing vendor and product identifiers, aggregating vulnerability metadata from both NVD and MITRE sources, and providing structured context for security teams. For asterisk's affected products, we extract Common Platform Enumeration (CPE) data, Common Weakness Enumeration (CWE) classifications, CVSS severity metrics, and reference data to enable rapid vulnerability prioritization and asset correlation. This record contains no exploit code, proof-of-concept instructions, or attack methodologies—only defensive intelligence necessary for patch management, risk assessment, and security operations.