Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2007-6170

Overview

Vulnerability Score 6.5 6.5
CVE Id CVE-2007-6170
Last Modified 07 Mar 2011 10:02:05
Published 29 Nov 2007 08:46:00
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity LOW
Authentication SINGLE_INSTANCE

CVE-2007-6170

Summary

SQL injection vulnerability in the Call Detail Record Postgres logging engine (cdr_pgsql) in Asterisk 1.4.x before 1.4.15, 1.2.x before 1.2.25, B.x before B.2.3.4, and C.x before C.1.0-beta6 allows remote authenticated users to execute arbitrary SQL commands via (1) ANI and (2) DNIS arguments.

Vulnerable Systems

Application

  • Digium Asterisk 1.0.9

  • Digium Asterisk 1.2.24

  • Digium Asterisk 1.4.14

  • Digium Asterisk B.2.3.3

  • Digium Asterisk C.1.0 Beta5


References

CONFIRM - http://downloads.digium.com/pub/security/AST-2007-026.html

XF - asterisk-cdrpqsql-sql-injection(38765)

VUPEN - ADV-2007-4056

BID - 26647

BUGTRAQ - 20071129 AST-2007-026 - SQL Injection issue in cdr_pgsql

DEBIAN - DSA-1417

SECTRACK - 1019020

SECUNIA - 27892

SECUNIA - 27827

GENTOO - GLSA-200804-13

SECUNIA - 29782

SECUNIA - 29242

SUSE - SUSE-SR:2008:005


Last Updated: 27 May 2016 10:46:24