Vulnerability Details : CVE-2012-2186
Incomplete blacklist vulnerability in main/manager.c in Asterisk Open Source 1.8.x before 1.8.15.1 and 10.x before 10.7.1, Certified Asterisk 1.8.11 before 1.8.11-cert6, Asterisk Digiumphones 10.x.x-digiumphones before 10.7.1-digiumphones, and Asterisk Business Edition C.3.x before C.3.7.6 allows remote authenticated users to execute arbitrary commands by leveraging originate privileges and providing an ExternalIVR value in an AMI Originate action.
Products affected by CVE-2012-2186
- cpe:2.3:a:asterisk:open_source:1.8.7:*:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:10.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.2:*:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.2:rc1:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.4.4:*:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.8.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.8.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.8.0:rc4:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.8.0:rc5:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.0:rc4:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.0:rc5:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.3:rc2:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.3:rc3:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.6.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.6.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.7.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.0:beta5:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.3:rc1:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.4:rc1:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.4:rc3:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.5:rc1:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.0:beta4:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.1:rc1:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.3:*:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.4:*:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.4:rc2:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.6.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.7.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.7.2:*:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.8.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:10.0.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:10.0.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:10.0.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:10.0.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:10.0.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.10.1:*:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.10.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.10.0:*:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.9.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.9.0:*:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.12.0:*:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.10.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.9.2:*:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.11.1:*:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.9.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.12.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.12:*:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.10.0:rc4:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.9.3:*:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.12.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.10.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.11.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.11.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.9.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.8.2:*:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.12.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:1.8.11.0:*:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:10.1.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:10.1.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:10.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:10.2.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:10.3:*:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:10.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:10.2.0:rc4:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:10.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:10.4.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:10.4.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:10.4.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:10.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:10.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:10.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:10.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:10.3.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:10.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:10.2.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:10.2.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:10.3.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:10.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:asterisk:open_source:10.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:asterisk:business_edition:*:*:*:*:*:*:*:*
- cpe:2.3:a:asterisk:business_edition:c.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:asterisk:certified_asterisk:*:cert5:*:*:*:*:*:*
- cpe:2.3:a:asterisk:certified_asterisk:1.8.11:cert:*:*:*:*:*:*
- cpe:2.3:a:asterisk:certified_asterisk:1.8.11:cert3:*:*:*:*:*:*
- cpe:2.3:a:asterisk:certified_asterisk:1.8.11:cert4:*:*:*:*:*:*
- cpe:2.3:a:asterisk:certified_asterisk:1.8.11:cert1:*:*:*:*:*:*
- cpe:2.3:a:asterisk:certified_asterisk:1.8.11:cert2:*:*:*:*:*:*
- cpe:2.3:a:asterisk:digiumphones:*:*:*:*:*:*:*:*
- cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*
- cpe:2.3:a:sangoma:asterisk:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2012-2186
1.44%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 87 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2012-2186
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.0
|
HIGH | AV:N/AC:L/Au:S/C:C/I:C/A:C |
8.0
|
10.0
|
NIST |
References for CVE-2012-2186
-
http://www.debian.org/security/2012/dsa-2550
Debian -- Security Information -- DSA-2550-2 asterisk
-
http://downloads.asterisk.org/pub/security/AST-2012-012.html
AST-2012-012Patch;Vendor Advisory
-
http://secunia.com/advisories/50687
Sign in
-
http://secunia.com/advisories/50756
Sign in
-
http://www.securitytracker.com/id?1027460
Asterisk AMI Originate Action Lets Remote Authenticated Users Gain Elevated Privileges - SecurityTracker
Jump to