製品・ソフトウェアに関する情報

JVN脆弱性詳細

Asterisk の Call Detail Record Postgres logging エンジン (cdr_pgsql) における SQL インジェクションの脆弱性

Title	Asterisk の Call Detail Record Postgres logging エンジン (cdr_pgsql) における SQL インジェクションの脆弱性
Summary	Asterisk の Call Detail Record Postgres logging エンジン (cdr_pgsql) には、SQL インジェクションの脆弱性が存在します。
Possible impacts	リモート認証されたユーザにより、(1) ANI 引数および (2) DNIS 引数を介して、任意の SQL コマンドを実行される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Nov. 29, 2007, midnight
Registration Date	June 26, 2012, 3:54 p.m.
Last Update	June 26, 2012, 3:54 p.m.

Affected System

Digium

Asterisk 1.4.15 未満の 1.4.x、1.2.25 未満の 1.2.x、B.2.3.4 未満の B.x、および C.1.0-beta6 未満の C.x

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2007-6170	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6170
National Vulnerability Database (NVD)
2	CVE-2007-6170	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-6170

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-89	https://jvndb.jvn.jp/ja/cwe/CWE-89.html

ベンダー情報

No	Name	URL
Asterisk Project Security Advisory
1	AST-2007-026	http://downloads.asterisk.org/pub/security/AST-2007-026.html

Change Log

No	Changed Details	Date of change
0	[2012年06月26日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2007-6170

Summary	SQL injection vulnerability in the Call Detail Record Postgres logging engine (cdr_pgsql) in Asterisk 1.4.x before 1.4.15, 1.2.x before 1.2.25, B.x before B.2.3.4, and C.x before C.1.0-beta6 allows remote authenticated users to execute arbitrary SQL commands via (1) ANI and (2) DNIS arguments.
Publication Date	Nov. 30, 2007, 10:46 a.m.
Registration Date	Jan. 29, 2021, 2:24 p.m.
Last Update	Oct. 26, 2018, 11:17 p.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:digium:asterisk::::::::	1.2.0			1.2.25
cpe:2.3:a:digium:asterisk::::::::	1.4.0			1.4.15
cpe:2.3:a:digium:asterisk:::::business:::*	b.2.3.0			b.2.3.4
cpe:2.3:a:digium:asterisk:c.1.0:beta1:::business:::*
cpe:2.3:a:digium:asterisk:c.1.0:beta2:::business:::*
cpe:2.3:a:digium:asterisk:c.1.0:beta3:::business:::*
cpe:2.3:a:digium:asterisk:c.1.0:beta4:::business:::*
cpe:2.3:a:digium:asterisk:c.1.0:beta5:::business:::*

Related information, measures and tools

No	URL	refsource	タグ
1	http://downloads.digium.com/pub/security/AST-2007-026.html	CONFIRM	Patch Vendor Advisory
2	http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html	SUSE	Third Party Advisory
3	http://secunia.com/advisories/27827	SECUNIA	Third Party Advisory
4	http://secunia.com/advisories/27892	SECUNIA	Third Party Advisory
5	http://secunia.com/advisories/29242	SECUNIA	Third Party Advisory
6	http://secunia.com/advisories/29782	SECUNIA	Third Party Advisory
7	http://security.gentoo.org/glsa/glsa-200804-13.xml	GENTOO	Third Party Advisory
8	http://securitytracker.com/id?1019020	SECTRACK	Third Party Advisory VDB Entry
9	http://www.debian.org/security/2007/dsa-1417	DEBIAN	Third Party Advisory
10	http://www.securityfocus.com/archive/1/484388/100/0/threaded	BUGTRAQ	Third Party Advisory VDB Entry
11	http://www.securityfocus.com/bid/26647	BID	Third Party Advisory VDB Entry
12	http://www.vupen.com/english/advisories/2007/4056	VUPEN	Third Party Advisory
13	https://exchange.xforce.ibmcloud.com/vulnerabilities/38765	XF	Third Party Advisory VDB Entry

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-89	SQLインジェクション	https://cwe.mitre.org/data/definitions/89.html