CVE-2023-49294: Asterisk Path Traversal vulnerability
First published: Thu Dec 14 2023(Updated: )
Asterisk is an open source private branch exchange and telephony toolkit. In Asterisk prior to versions 18.20.1, 20.5.1, and 21.0.1, as well as certified-asterisk prior to 18.9-cert6, it is possible to read any arbitrary file even when the `live_dangerously` is not enabled. This allows arbitrary files to be read. Asterisk versions 18.20.1, 20.5.1, and 21.0.1, as well as certified-asterisk prior to 18.9-cert6, contain a fix for this issue.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Asterisk | <18.20.1 | |
| Asterisk | >=19.0.0<20.5.1 | |
| Asterisk | =21.0.0 | |
| Asterisk | =13.13.0 | |
| Asterisk | =13.13.0-cert1 | |
| Asterisk | =13.13.0-cert1-rc1 | |
| Asterisk | =13.13.0-cert1-rc2 | |
| Asterisk | =13.13.0-cert1-rc3 | |
| Asterisk | =13.13.0-cert1-rc4 | |
| Asterisk | =13.13.0-cert2 | |
| Asterisk | =13.13.0-cert3 | |
| Asterisk | =13.13.0-rc1 | |
| Asterisk | =13.13.0-rc2 | |
| Asterisk | =16.8.0 | |
| Asterisk | =16.8.0-cert1 | |
| Asterisk | =16.8.0-cert10 | |
| Asterisk | =16.8.0-cert11 | |
| Asterisk | =16.8.0-cert12 | |
| Asterisk | =16.8.0-cert2 | |
| Asterisk | =16.8.0-cert3 | |
| Asterisk | =16.8.0-cert4 | |
| Asterisk | =16.8.0-cert5 | |
| Asterisk | =16.8.0-cert6 | |
| Asterisk | =16.8.0-cert7 | |
| Asterisk | =16.8.0-cert8 | |
| Asterisk | =16.8.0-cert9 | |
| Asterisk | =18.9-cert1 | |
| Asterisk | =18.9-cert2 | |
| Asterisk | =18.9-cert3 | |
| Asterisk | =18.9-cert4 | |
| Asterisk | =18.9-cert5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2023-49294?
CVE-2023-49294 has been classified as a high severity vulnerability.
How do I fix CVE-2023-49294?
To fix CVE-2023-49294, upgrade to Asterisk version 18.20.1, 20.5.1, 21.0.1, or certified-asterisk version 18.9-cert6 or above.
What does CVE-2023-49294 allow an attacker to do?
CVE-2023-49294 allows an attacker to read any arbitrary file, bypassing the need for the 'live_dangerously' setting.
Which versions of Asterisk are affected by CVE-2023-49294?
Versions prior to Asterisk 18.20.1, 20.5.1, 21.0.1, and certified-asterisk versions before 18.9-cert6 are affected by CVE-2023-49294.
Can I check for CVE-2023-49294 on my system?
Yes, you should compare your current Asterisk version against the versions listed as affected by CVE-2023-49294.
- agent/references
- agent/type
- agent/event
- agent/first-publish-date
- agent/severity
- agent/remedy
- agent/title
- agent/weakness
- agent/author
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/digium
- canonical/asterisk
- version/asterisk/19.0.0
- version/asterisk/21.0.0
- vendor/sangoma
- version/asterisk/13.13.0
- version/asterisk/13.13.0-cert1
- version/asterisk/13.13.0-cert1-rc1
- version/asterisk/13.13.0-cert1-rc2
- version/asterisk/13.13.0-cert1-rc3
- version/asterisk/13.13.0-cert1-rc4
- version/asterisk/13.13.0-cert2
- version/asterisk/13.13.0-cert3
- version/asterisk/13.13.0-rc1
- version/asterisk/13.13.0-rc2
- version/asterisk/16.8.0
- version/asterisk/16.8.0-cert1
- version/asterisk/16.8.0-cert10
- version/asterisk/16.8.0-cert11
- version/asterisk/16.8.0-cert12
- version/asterisk/16.8.0-cert2
- version/asterisk/16.8.0-cert3
- version/asterisk/16.8.0-cert4
- version/asterisk/16.8.0-cert5
- version/asterisk/16.8.0-cert6
- version/asterisk/16.8.0-cert7
- version/asterisk/16.8.0-cert8
- version/asterisk/16.8.0-cert9
- version/asterisk/18.9-cert1
- version/asterisk/18.9-cert2
- version/asterisk/18.9-cert3
- version/asterisk/18.9-cert4
- version/asterisk/18.9-cert5