An SSRF issue was discovered in Asterisk through 19.x. When using STIR/SHAKEN, it's possible to send arbitrary requests (such as GET) to interfaces such as localhost by using the Identity header. This is fixed in 16.25.2, 18.11.2, and 19.3.2.
Advisories
Source ID Title
Debian DLA Debian DLA DLA-3194-1 asterisk security update
Debian DSA Debian DSA DSA-5285-1 asterisk security update
EUVD EUVD EUVD-2022-31057 An SSRF issue was discovered in Asterisk through 19.x. When using STIR/SHAKEN, it's possible to send arbitrary requests (such as GET) to interfaces such as localhost by using the Identity header. This is fixed in 16.25.2, 18.11.2, and 19.3.2.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2024-08-03T05:03:32.912Z

Reserved: 2022-03-06T00:00:00

Link: CVE-2022-26499

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2022-04-15T05:15:06.640

Modified: 2024-11-21T06:54:03.990

Link: CVE-2022-26499

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.