CVE-2022-26651: SQL Injection
First published: Fri Apr 15 2022(Updated: )
An issue was discovered in Asterisk through 19.x and Certified Asterisk through 16.8-cert13. The func_odbc module provides possibly inadequate escaping functionality for backslash characters in SQL queries, resulting in user-provided data creating a broken SQL query or possibly a SQL injection. This is fixed in 16.25.2, 18.11.2, and 19.3.2, and 16.8-cert14.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Digium Asterisk | >=16.0.0<16.25.2 | |
| Digium Asterisk | >=18.0<18.11.2 | |
| Digium Asterisk | >=19.0.0<19.3.2 | |
| Digium Certified Asterisk | =16.8 | |
| Digium Certified Asterisk | =16.8-cert1-rc1 | |
| Digium Certified Asterisk | =16.8-cert1-rc2 | |
| Digium Certified Asterisk | =16.8-cert1-rc3 | |
| Digium Certified Asterisk | =16.8-cert1-rc4 | |
| Digium Certified Asterisk | =16.8-cert10 | |
| Digium Certified Asterisk | =16.8-cert11 | |
| Digium Certified Asterisk | =16.8-cert12 | |
| Digium Certified Asterisk | =16.8-cert13 | |
| Digium Certified Asterisk | =16.8-cert2 | |
| Digium Certified Asterisk | =16.8-cert3 | |
| Digium Certified Asterisk | =16.8-cert4 | |
| Digium Certified Asterisk | =16.8-cert4-rc1 | |
| Digium Certified Asterisk | =16.8-cert4-rc2 | |
| Digium Certified Asterisk | =16.8-cert4-rc3 | |
| Digium Certified Asterisk | =16.8-cert4-rc4 | |
| Digium Certified Asterisk | =16.8-cert5 | |
| Digium Certified Asterisk | =16.8-cert6 | |
| Digium Certified Asterisk | =16.8-cert7 | |
| Digium Certified Asterisk | =16.8-cert8 | |
| Digium Certified Asterisk | =16.8-cert9 | |
| Debian Debian Linux | =10.0 | |
| Debian Debian Linux | =11.0 | |
| debian/asterisk | <=1:16.2.1~dfsg-1+deb10u2 | 1:16.28.0~dfsg-0+deb10u4 1:16.28.0~dfsg-0+deb11u3 1:20.5.2~dfsg+~cs6.13.40431414-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://packetstormsecurity.com/files/166746/Asterisk-Project-Security-Advisory-AST-2022-003.html
- https://downloads.asterisk.org/pub/security/
- https://downloads.asterisk.org/pub/security/AST-2022-003.html
- https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html
- https://www.debian.org/security/2022/dsa-5285
- https://issues.asterisk.org/jira/browse/ASTERISK-29838
- https://security-tracker.debian.org/tracker/CVE-2022-26651
Frequently Asked Questions
What is the severity of CVE-2022-26651?
The severity of CVE-2022-26651 is critical with a CVSS score of 9.8.
Which software versions are affected by CVE-2022-26651?
Asterisk versions through 19.x and Certified Asterisk versions through 16.8-cert13 are affected by CVE-2022-26651.
What is the vulnerability description for CVE-2022-26651?
The func_odbc module in Asterisk provides inadequate escaping functionality for backslash characters in SQL queries, leading to a broken SQL query or a possible SQL injection.
How can I fix CVE-2022-26651?
Upgrade to Asterisk version 20.4.0~dfsg+~cs6.13.40431414-2 or higher, or use the Debian package version 1:16.28.0~dfsg-0+deb10u3, 1:16.28.0~dfsg-0+deb11u3, or 1:20.4.0~dfsg+~cs6.13.40431414-2.
What is the Common Weakness Enumeration (CWE) for CVE-2022-26651?
The CWE for CVE-2022-26651 is CWE-89 (SQL Injection).
- collector/nvd-index
- collector/security-tracker-debian
- agent/severity
- agent/weakness
- agent/references
- agent/author
- agent/description
- agent/type
- agent/event
- agent/first-publish-date
- agent/softwarecombine
- agent/last-modified-date
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/digium
- canonical/digium asterisk
- version/digium asterisk/16.0.0
- version/digium asterisk/18.0
- version/digium asterisk/19.0.0
- canonical/digium certified asterisk
- version/digium certified asterisk/16.8
- version/digium certified asterisk/16.8-cert1-rc1
- version/digium certified asterisk/16.8-cert1-rc2
- version/digium certified asterisk/16.8-cert1-rc3
- version/digium certified asterisk/16.8-cert1-rc4
- version/digium certified asterisk/16.8-cert10
- version/digium certified asterisk/16.8-cert11
- version/digium certified asterisk/16.8-cert12
- version/digium certified asterisk/16.8-cert13
- version/digium certified asterisk/16.8-cert2
- version/digium certified asterisk/16.8-cert3
- version/digium certified asterisk/16.8-cert4
- version/digium certified asterisk/16.8-cert4-rc1
- version/digium certified asterisk/16.8-cert4-rc2
- version/digium certified asterisk/16.8-cert4-rc3
- version/digium certified asterisk/16.8-cert4-rc4
- version/digium certified asterisk/16.8-cert5
- version/digium certified asterisk/16.8-cert6
- version/digium certified asterisk/16.8-cert7
- version/digium certified asterisk/16.8-cert8
- version/digium certified asterisk/16.8-cert9
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/10.0
- version/debian debian linux/11.0
- package-manager/debian