| Name | CVE-2025-47780 |
| Description | Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk, trying to disallow shell commands to be run via the Asterisk command line interface (CLI) by configuring `cli_permissions.conf` (e.g. with the config line `deny=!*`) does not work which could lead to a security risk. If an administrator running an Asterisk instance relies on the `cli_permissions.conf` file to work and expects it to deny all attempts to execute shell commands, then this could lead to a security vulnerability. Versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk fix the issue. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 1106530 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| asterisk (PTS) | bullseye | 1:16.28.0~dfsg-0+deb11u4 | vulnerable |
| bullseye (security) | 1:16.28.0~dfsg-0+deb11u6 | vulnerable | |
| sid | 1:22.4.1~dfsg+~cs6.15.60671435-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| asterisk | source | (unstable) | 1:22.4.1~dfsg+~cs6.15.60671435-1 | 1106530 |
https://github.com/asterisk/asterisk/security/advisories/GHSA-c7p6-7mvq-8jq2
https://github.com/asterisk/asterisk/commit/ef1ad68131ff35445660bd0d36a04cf6f9ba6456 (18.26.2)
https://github.com/asterisk/asterisk/commit/9bcdef268432e7591142b1b8de38b2e7871566a5 (22.4.1)