What is CVE-2019-18610?

CVE-2019-18610 is a vulnerability discovered in Sangoma Asterisk that allows a remote authenticated user to execute arbitrary system commands.

Which versions of Sangoma Asterisk are affected by CVE-2019-18610?

CVE-2019-18610 affects Sangoma Asterisk versions 13.x, 16.x, 17.x, as well as Certified Asterisk 13.21 through 13.21-cert4.

How severe is CVE-2019-18610?

CVE-2019-18610 has a severity score of 8.8, which is classified as critical.

How can I fix CVE-2019-18610?

To fix CVE-2019-18610, it is recommended to update Sangoma Asterisk to versions 13.29.2, 16.6.2, 17.0.1, or a later release.

Are there any references for CVE-2019-18610?

Yes, you can find references for CVE-2019-18610 at the following links: - [AST-2019-007](http://downloads.asterisk.org/pub/security/AST-2019-007.html) - [Debian LTS Announce](https://lists.debian.org/debian-lts-announce/2019/11/msg00038.html) - [Debian LTS Announce](https://lists.debian.org/debian-lts-announce/2022/04/msg00001.html)

Vulnerability/
CVE-2019-18610

critical

CWE

862

22/11/2019

5/8/2024

CVE-2019-18610

First published: Fri Nov 22 2019(Updated: )

An issue was discovered in manager.c in Sangoma Asterisk through 13.x, 16.x, 17.x and Certified Asterisk 13.21 through 13.21-cert4. A remote authenticated Asterisk Manager Interface (AMI) user without system authorization could use a specially crafted Originate AMI request to execute arbitrary system commands.

Credit: cve@mitre.org

Affected Software	Affected Version	How to fix
Digium Asterisk	>=13.0.0<13.29.2
Digium Asterisk	>=16.0.0<16.6.2
Digium Asterisk	>=17.0.0<17.0.1
Digium Certified Asterisk	=13.21.0
Digium Certified Asterisk	=13.21.0-cert1
Digium Certified Asterisk	=13.21.0-cert2
Digium Certified Asterisk	=13.21.0-cert3
Digium Certified Asterisk	=13.21.0-cert4
Digium Certified Asterisk	=13.21.0-rc1
Debian Debian Linux	=8.0
Debian Debian Linux	=9.0

Remedy

http://downloads.asterisk.org/pub/security/AST-2019-007.html

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2019-18610?
CVE-2019-18610 is a vulnerability discovered in Sangoma Asterisk that allows a remote authenticated user to execute arbitrary system commands.
Which versions of Sangoma Asterisk are affected by CVE-2019-18610?
CVE-2019-18610 affects Sangoma Asterisk versions 13.x, 16.x, 17.x, as well as Certified Asterisk 13.21 through 13.21-cert4.
How severe is CVE-2019-18610?
CVE-2019-18610 has a severity score of 8.8, which is classified as critical.
How can I fix CVE-2019-18610?
To fix CVE-2019-18610, it is recommended to update Sangoma Asterisk to versions 13.29.2, 16.6.2, 17.0.1, or a later release.
Are there any references for CVE-2019-18610?
Yes, you can find references for CVE-2019-18610 at the following links: - [AST-2019-007](http://downloads.asterisk.org/pub/security/AST-2019-007.html) - [Debian LTS Announce](https://lists.debian.org/debian-lts-announce/2019/11/msg00038.html) - [Debian LTS Announce](https://lists.debian.org/debian-lts-announce/2022/04/msg00001.html)

collector/nvd-index
agent/author
agent/severity
agent/weakness
agent/references
agent/event
agent/tags
agent/type
agent/description
agent/remedy
agent/last-modified-date
agent/softwarecombine
agent/first-publish-date
collector/mitre-cve
source/MITRE
vendor/digium
canonical/digium asterisk
version/digium asterisk/13.0.0
version/digium asterisk/16.0.0
version/digium asterisk/17.0.0
canonical/digium certified asterisk
version/digium certified asterisk/13.21.0
version/digium certified asterisk/13.21.0-cert1
version/digium certified asterisk/13.21.0-cert2
version/digium certified asterisk/13.21.0-cert3
version/digium certified asterisk/13.21.0-cert4
version/digium certified asterisk/13.21.0-rc1
vendor/debian
canonical/debian debian linux
version/debian debian linux/8.0
version/debian debian linux/9.0