CVE-2022-26651: 
NixOS vulnerability analysis and mitigation

An issue was discovered in Asterisk through 19.x and Certified Asterisk through 16.8-cert13. The func_odbc module provides possibly inadequate escaping functionality for backslash characters in SQL queries, which could result in broken SQL queries or potential SQL injection. This vulnerability was reported on January 5, 2022, and publicly disclosed on April 14, 2022, identified as CVE-2022-26651. The issue affects all versions of Asterisk Open Source 16.x, 18.x, 19.x, and Certified Asterisk 16.x, and was fixed in versions 16.25.2, 18.11.2, 19.3.2, and 16.8-cert14 (Asterisk Advisory).

The vulnerability exists in the funcodbc module where some databases can use backslashes to escape certain characters, such as backticks. When input containing backslashes is provided to funcodbc, it may construct a broken SQL query, causing the query to fail. While not confirmed, there is potential for SQL injection that could allow database manipulation by an external party. The severity of this vulnerability is classified as Low (Asterisk Advisory).

If exploited, this vulnerability could lead to broken SQL queries and potential database manipulation through SQL injection. The impact is particularly relevant for systems using func_odbc with databases that utilize backslashes for character escaping (Asterisk Advisory).

Two mitigation options are available: 1) Use the new SQLESCBACKSLASHES dialplan function added to the func_odbc module to escape backslashes when input may contain them and the database uses backslashes to escape backticks, or 2) Disable support for backslashes for escaping in the database if the underlying database supports this configuration change (Asterisk Advisory).