Details of VAR-202502-0753

ID

VAR-202502-0753

CVE

CVE-2024-57520

TITLE

Sangoma of Asterisk Vulnerability in improper permission assignment for critical resources in

Trust: 0.8

sources: JVNDB: JVNDB-2025-014069

DESCRIPTION

Insecure Permissions vulnerability in asterisk v22 allows a remote attacker to execute arbitrary code via the action_createconfig function. NOTE: this is disputed by the Supplier because the impact is limited to creating empty files outside of the Asterisk product directory (aka directory traversal) and the attack can only be performed by a privileged user who has the ability to manage the configuration. Sangoma of Asterisk Contains a vulnerability in improper permission assignment for critical resources.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Trust: 1.62

sources: NVD: CVE-2024-57520 // JVNDB: JVNDB-2025-014069

AFFECTED PRODUCTS

vendor:	sangoma	model:	asterisk	scope:	lte	version:	22.5.1	Trust: 1.0
vendor:	sangoma	model:	asterisk	scope:	gte	version:	22.0.0	Trust: 1.0
vendor:	sangoma	model:	asterisk	scope:	eq	version:	-	Trust: 0.8
vendor:	sangoma	model:	asterisk	scope:	-	version:	-	Trust: 0.8
vendor:	sangoma	model:	asterisk	scope:	eq	version:	22.0.0 to 22.5.1	Trust: 0.8

sources: JVNDB: JVNDB-2025-014069 // NVD: CVE-2024-57520

CVSS

SEVERITY

CVSSV2

CVSSV3

134c704f-9b21-4f2e-91b3-4a467353bcc0:	CVE-2024-57520
value:	CRITICAL
Trust: 1.0
OTHER:	JVNDB-2025-014069
value:	CRITICAL
Trust: 0.8

134c704f-9b21-4f2e-91b3-4a467353bcc0:	CVE-2024-57520
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
OTHER:	JVNDB-2025-014069
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2025-014069 // NVD: CVE-2024-57520

PROBLEMTYPE DATA

problemtype:	CWE-732	Trust: 1.0
problemtype:	Improper permission assignment for critical resources (CWE-732) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2025-014069 // NVD: CVE-2024-57520

EXTERNAL IDS

db:	NVD	id:	CVE-2024-57520	Trust: 2.6
db:	JVNDB	id:	JVNDB-2025-014069	Trust: 0.8

sources: JVNDB: JVNDB-2025-014069 // NVD: CVE-2024-57520

REFERENCES

url:	https://gist.github.com/hyp164d1/ae76ab25acfbe263b2ed7b24b6e5c621	Trust: 1.8
url:	https://github.com/asterisk/asterisk/issues/1122	Trust: 1.0
url:	https://nvd.nist.gov/vuln/detail/cve-2024-57520	Trust: 0.8

sources: JVNDB: JVNDB-2025-014069 // NVD: CVE-2024-57520

SOURCES

db:	JVNDB	id:	JVNDB-2025-014069
db:	NVD	id:	CVE-2024-57520

LAST UPDATE DATE

2025-11-18T15:23:53.107000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2025-014069	date:	2025-09-18T08:39:00
db:	NVD	id:	CVE-2024-57520	date:	2025-11-06T13:15:35.177

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2025-014069	date:	2025-09-18T00:00:00
db:	NVD	id:	CVE-2024-57520	date:	2025-02-05T22:15:32.923