CNNVD-202602-908 Information
CNNVD ID
CNNVD-202602-908
Related CVE
- CNNVD Published: 2026-02-06
Description (Chinese)
Asterisk是Asterisk开源的一款PBX系统的软件,运行在Linux系统上,支持使用SIP、IAX、H323协议进行IP通话。 Asterisk 20.7-cert9之前版本、20.18.2之前版本、21.12.1之前版本、22.8.2之前版本和23.2.2之前版本存在代码问题漏洞,该漏洞源于XML解析函数使用不安全的解析选项,可能导致XML外部实体攻击或基于XInclude的本地文件泄露。
Description (English)
Asterisk is a software for the Asterisk open source of the PBX system, which operates on the Linux system and supports IP calls using the SIP, IAX, H323 protocols. Before Asteristk 20.7-cert9, before 20.18.2, before 21.12.1, before 22.8.2 and before 23.2.2, there was a code problem loophole, which stemmed from the use of unsafe resolution options in the XML resolution function, which could lead to an attack by an outside XML entity or the release of local files based on XInclude.
Hazard Level
High
Vulnerability Type
代码问题
Affected Vendor
Asterisk
Published
2026-02-06
Last Modified
2026-02-24
References
https://github.com/asterisk/asterisk/security/advisories/GHSA-85x7-54wr-vh42 https://access.redhat.com/security/cve/cve-2026-23739
Patch
https://github.com/asterisk/asterisk/releases
Share on: