Vulnerability Details : CVE-2006-4346
Asterisk 1.2.10 supports the use of client-controlled variables to determine filenames in the Record function, which allows remote attackers to (1) execute code via format string specifiers or (2) overwrite files via directory traversals involving unspecified vectors, as demonstrated by the CALLERIDNAME variable.
Vulnerability category: Execute code
Products affected by CVE-2006-4346
- cpe:2.3:a:digium:asterisk:1.2.10:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2006-4346
10.50%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 95 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2006-4346
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST |
References for CVE-2006-4346
-
http://www.sineapps.com/news.php?rssid=1448
-
http://www.gentoo.org/security/en/glsa/glsa-200610-15.xml
Asterisk: Multiple vulnerabilities (GLSA 200610-15) — Gentoo security
-
http://www.securityfocus.com/bid/19683
Patch
-
http://labs.musecurity.com/advisories/MU-200608-01.txt
Patch;Vendor Advisory
-
http://securitytracker.com/id?1016742
Access DeniedPatch
-
http://www.securityfocus.com/archive/1/444322/100/0/threaded
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/28544
Asterisk Record() format string CVE-2006-4346 Vulnerability Report
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/28564
Asterisk Record() directory traversal CVE-2006-4346 Vulnerability Report
-
http://www.vupen.com/english/advisories/2006/3372
Site en construction
Jump to