CVE-2023-49294 Information

Description

Asterisk is an open source private branch exchange and telephony toolkit. In Asterisk prior to versions 18.20.1 20.5.1 and 21.0.1 as well as certified-asterisk prior to 18.9-cert6 it is possible to read any arbitrary file even when the live_dangerously is not enabled. This allows arbitrary files to be read. Asterisk versions 18.20.1 20.5.1 and 21.0.1 as well as certified-asterisk prior to 18.9-cert6 contain a fix for this issue.

Reference

https://github.com/asterisk/asterisk/security/advisories/GHSA-8857-hfmw-vg8f https://github.com/asterisk/asterisk/commit/424be345639d75c6cb7d0bd2da5f0f407dbd0bd5 https://github.com/asterisk/asterisk/blob/master/main/manager.c#L3757