cli_permissions.conf: deny option does not work for disallowing shell commands
Description
Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk, trying to disallow shell commands to be run via the Asterisk command line interface (CLI) by configuring cli_permissions.conf (e.g. with the config line deny=!*) does not work which could lead to a security risk. If an administrator running an Asterisk instance relies on the cli_permissions.conf file to work and expects it to deny all attempts to execute shell commands, then this could lead to a security vulnerability. Versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk fix the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
3- Range: <18.9-cert14, <20.7-cert5
Patches
Vulnerability mechanics
References
1- github.com/asterisk/asterisk/security/advisories/GHSA-c7p6-7mvq-8jq2mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.