CVE-2023-49294: 
NixOS vulnerability analysis and mitigation

Asterisk, an open source private branch exchange and telephony toolkit, was found to contain a path traversal vulnerability (CVE-2023-49294) affecting versions prior to 18.20.1, 20.5.1, and 21.0.1, as well as certified-asterisk prior to 18.9-cert6. The vulnerability was disclosed on December 14, 2023, allowing attackers to read arbitrary files even when the live_dangerously option was not enabled (GitHub Advisory).

The vulnerability exists in the AMI (Asterisk Manager Interface) GetConfig functionality where the input file path was not properly processed, resulting in a path traversal vulnerability. The issue specifically affects the functions action_getconfig() and action_getconfigJson() in manager.c. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 HIGH by NIST (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and 4.9 MEDIUM by GitHub (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N) (NVD).

The vulnerability allows attackers to read arbitrary files on the system outside of the intended configuration directory. This could lead to unauthorized access to sensitive information stored in files that should not be accessible through the AMI interface (GitHub Advisory).

The vulnerability has been fixed in Asterisk versions 18.20.1, 20.5.1, and 21.0.1, as well as certified-asterisk version 18.9-cert6. The fix includes proper path validation to ensure files accessed through GetConfig remain within the configuration directory. Users should upgrade to the patched versions to protect against this vulnerability (GitHub Patch).

The vulnerability has been acknowledged and addressed by multiple Linux distributions. Debian has released security updates to address this vulnerability in their LTS release, indicating the broader impact on the open-source community (Debian LTS).