CVE-2024-42365

Publication date 8 August 2024

Last updated 11 July 2025

Ubuntu priority

Medium

Why this priority?

Cvss 3 Severity Score

7.4 · High

Score breakdown

Description

Asterisk is an open source private branch exchange (PBX) and telephony toolkit. Prior to asterisk versions 18.24.2, 20.9.2, and 21.4.2 and certified-asterisk versions 18.9-cert11 and 20.7-cert2, an AMI user with `write=originate` may change all configuration files in the `/etc/asterisk/` directory. This occurs because they are able to curl remote files and write them to disk, but are also able to append to existing files using the `FILE` function inside the `SET` application. This issue may result in privilege escalation, remote code execution and/or blind server-side request forgery with arbitrary protocol. Asterisk versions 18.24.2, 20.9.2, and 21.4.2 and certified-asterisk versions 18.9-cert11 and 20.7-cert2 contain a fix for this issue.

Status

Package Ubuntu Release Status
asterisk 26.04 LTS resolute
Needs evaluation
25.10 questing
Needs evaluation
25.04 plucky Ignored end of life, was needs-triage
24.10 oracular Ignored end of life, was needs-triage
24.04 LTS noble
Needs evaluation
22.04 LTS jammy
Needs evaluation
20.04 LTS focal Ignored end of standard support, was needs-triage
18.04 LTS bionic
Needs evaluation
16.04 LTS xenial
Needs evaluation

Severity score breakdown

Parameter Value
Base score 7.4 · High
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Scope Changed
Confidentiality Low
Integrity impact Low
Availability impact Low
Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

References

Other references

Access our resources on patching vulnerabilities